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Typographic Conventions 


This document uses these typographic conventions. 


e The names of windows, views, tabs, dialog boxes, panes, panels, buttons, fields, options, 
checkboxes, and the like are in Initial Caps, or otherwise capitalized according to their labels. 

e Keystrokes are shown in all capital letters, such as TAB, CTRL, OPT, CMD, SPACEBAR. 
Keys pressed at the same time are joined with +, such as CTRL+S, OPT+T. 

e The names of elements that you are directed to interact with by clicking, selecting, or typing 
are shown in bold. 

e Immediately contiguous menu actions such as clicking a toolbar button or menu, then 
immediately clicking another item in a resulting submenu, are separated with the > symbol, 
such as 


Edit > Copy 
Preferences > Data Collection 


e File names, folder names, file paths, disk names, drive names, volume names, partition names, 
and the like are shown in italic. File extensions such as .pdf, .docx., .jpg, and so forth are not 
shown in italic. 

e Variables are enclosed with <angle brackets>, such as <PLATFORM> VOLUMES, where 
<PLATFORMs> is either MACOS or WINDOWS. 

e Anything you are directed to type exactly, such as file names, commands, 
or code, are shown in a console font. 


If you find any typos, inaccuracies, or other problems in this documentation, please send an 
email to support(dcellebrite.com. Please include the title of the document, the version of the 
document, and the title of the topic in your message. 
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Document Revision History 


This user guide addresses only the most recent version of Digital Collector. 


This topic identifies information that is new, removed, or changed within this document for the 
3.4 release of Digital Collector. 


Description Topic 


This topic is new. What's New in Version 3.4 


Added and revised information throughout | These topics are new: 

this manual regarding M1 Mac computers |e Imaging Considerations for macOS 
and macOS 11 and 12 to align with e Imaging M1 Mac Computers 
improvements discussed in the “What's 
New in 3.3" topic of the Digital Collector 3.3 
User Guide. 


Added information about custom file filters | The Collection View topic was revised. 

and collection templates, which were The Templates menu was added to the Menu 
introduced in the “What's New in 3.3" topic | Bar topic. 

of the Digital Collector 3.3 User Guide. 


The Templates Menu topic is new. 


These topics are new or revised in the chapter 
titled “Collecting Data from a Source 
Computer”: 


e Selecting User Files 

e Custom File Filters and Collection 
Templates 

e Create and Manage Custom File Filters 

e Collection Templates 

e Save Current Selections as a Template 

e Create and Manage Collection Templates 

e Apply a Collection Template 


Ancillary to the changes required for e Selecting System Data 


custom file filters and collection e Selecting System Files 
templates, updated these topics e Selecting Additional Files and Folders 
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Document Revision History 


Description Topic 


Revised information about the DCData 
volume on the Digital Collector SSD. This 
aligns with the change from NTFS to exFAT 
discussed in the “What's New in 3.3" topic 
of the Digital Collector 3.3 User Guide. 


This includes the removal of the Other tab 
on the Preferences window because there 
is no longer an option to disable warnings 
about exFAT destination volumes. 


Revised information about previews to 
align with improvements discussed in the 
“What's New in 3.3" topic of the Digital 
Collector 3.3 User Guide. 


e Digital Collector Device 

e Updating Digital Collector 

e Update Digital Collector on Mac Computers 

e Update Digital Collector on Windows 
Computers 

e Format Device Tool 

e Setting Preferences on a Mac Computer 

e Setting Preferences on a Windows Computer 

e Frequently Asked Questions 


e Browser View 
e Search View 


Revised information about imaging for 
APFS volumes to align with improvements 
discussed in the “What's New in 3.3" topic 
of the Digital Collector 3.3 User Guide. 


e Imaging Considerations for macOS 
e Launch Digital Collector on a Live Mac 


Computer 
e Acquire a Physical or Logical Image of a Mac 


Computer 


To improve accuracy and visibility, revised 
the title of this topic and moved it to a 
different location in the Views section of 
the Workspace Orientation chapter. 


Views of System Volume and Data Volume on 
Mac Computers 


Added the Note paragraph. 


Start a Windows Computer with Digital Collector 


Added the Note paragraph to the 
description of the Content criteria. 


Search View 


Added information about the iCloud Drive 
message to Step 3. 


Added information about not writing to the 
DCData partition from a Windows computer 
started from the Digital Collector SSD 
when that partition is formatted NTFS. 


Acquire a Physical or Logical Image of a Mac 
Computer 


Imaging Windows Computers 


Identified the versions of macOS that 
SoftBlock can run on. 


Preserving and Acquiring Digital Forensic 
Evidence 


Added note and warning to not select the 
EFI partition. 


Start a Mac Computer with Digital Collector 


2:7" Cellebrite 


May 2022 Digital Collector User Guide 


What's New in Version 3.4 


These features and capabilities are new or changed in this release of Digital Collector. 


Keyboard Navigation 
The View menu provides new options for navigating among all the views in Digital Collector. 


In addition, you can now use only a keyboard to navigate in Digital Collector. This is useful when 
a mouse is not available or not functioning. With normal keyboard navigation for your computer's 
operating system, you can perform all operations necessary to create an image or collect files. 


These keystrokes are particularly useful in Digital Collector. 


Action 
Open the next view [to the right] 


Open the previous view (to the left] 


Mac 
CMD+TAB 
CMD+SHIFT+TAB 


Windows 
CTRL+TAB 
CTRL+SHIFT+TAB 


6 (Mount Device] 

7 (Format Device] 
8 (Hash Device] 

9 (Hash Image File] 


Open a specific view or window CMD+ CTRL+ 
1 (Case Details) 1 (Case Details) 
2 (Browser] 2 (Browser) 
3 (Search) 3 (Search) 
4 (Collection) 4 (Collection) 
5 (Image) 5 (Image) 


6 (Mount Device] 

7 (Format Device] 
8 (Hash Device] 

9 (Hash Image File] 


0 (Terminal) 0 (Terminal) 
Close window CMD+W CTRL+W 
Switch among windows CMD+` ALT+TAB 
Refresh device list CMD+R CTRL+R 
Navigate among elements in the user interface | TAB TAB 
(panes, fields, checkboxes, options, buttons) 
Navigate among items in lists, menus Arrow keys Arrow keys 
Make a selection, “press” a button ENTER or ENTER or 
SPACEBAR SPACEBAR 
Open Menu bar FN+CMD+F2 ALT+F or ALT+E 
Close Digital Collector CMD+Q CTRL+Q 


Version 3.4 What's New in Version 3.4 


Preview Improvements for M1 Mac Computers 


For M1 Mac computers booted from the Digital Collector SSD, improvements were made to file 
previews. File previews are now available for additional popular file types, including .rtf, .html, 
and MS Office files. 


Improved Process to Install Renewed License 


The process for installing your renewed Digital Collector license on your Digital Collector device 
(dongle] has been simplified. The License Manager application is no longer used. Instead, 
license installation is managed within Digital Collector itself or the updater app for Digital 
Collector. 


Automatic 


The easiest and recommended method is to run Digital Collector on a computer with an internet 
connection. If the license needs to be installed, the License Required dialog box automatically 
appears when you run Digital Collector. 


License Required 
Rook 
. » H Digital intelligence 
see Cellebrite c%stnvcu 
Digital Collector cannot detect a license file. 


If connected to the internet, it may be possible to automatically install your license. 


Install License Automatically 


If this system is not connected to the internet, the install can be handled manually. 


Manually Install License 


Dongle ID 


Quit 
Click Install License Automatically. 


Digital Collector automatically finds and installs your renewed license. 


Manual 
If automatic installation fails, click Manually Install License. 


This License Required dialog box appears. 


License Required 
ie Digital intel 
. H jital intelli 
%e Cellebrite Riitu” 


Digital Collector cannot detect a license file. 


1) Open the MyCellebrite portal and download the offline license file for Digital Collector. 
https://community.cellebrite.com Dongle ID: Bù — 
2) Rename that file "BBTLicense". 


mna 9 


3) Quit Digital Collector. 
4) Copy the BBTLicense file to the WINDOWS APP partition on the Digital Collector dongle. 
5) Restart Digital Collector. 
6) On macOS make sure Digital Collector has Full Disk Access. 
This is set in System Preferences: Security & Privacy; Full Disk Access 


Quit Back 


Follow the instructions to manually install the license. 
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Manual without Internet 


If the computer running Digital Collector does not have an internet connection, click Manually 
Install License. This License Required dialog box appears. 


License Reauired 
Chas Digital intelli 
. H ital intelli 
*.° Cellebrite iisu" 


Digital Collector cannot detect a license file. 


1) Open the MyCellebrite portal and download the offline license file for Digital Collector. 
https://community.cellebrite.com Dongle ID: NNT 
2) Rename that file "BBTLicense". 
3) Quit Digital Collector. 
4) Copy the BBTLicense file to the WINDOWS APP partition on the Digital Collector dongle. 
5) Restart Digital Collector. 
6) On macOS make sure Digital Collector has Full Disk Access. 
This is set in System Preferences: Security & Privacy; Full Disk Access 


Quit Back 


1. Complete the first two steps on a separate computer that does have an internet connection 
and prepare to copy and paste the resulting file named BBTLicense with your usual method, 
such as by using a USB drive. 

2. Onthe computer that the Digital Collector device is connected to, be sure that Digital 
Collector is not running. 

3. Complete the remaining steps on the License Required dialog box. 
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Introduction 


This user guide addresses only the most recent version of Cellebrite Digital Collector. 


Cellebrite Digital Collector is a comprehensive software solution to help investigators collect and 
forensically image both static and live data from Mac and Windows computers as well as 
compatible external storage devices. 


Digital Collector is designed for both novice and advanced users. It offers a clean interface 
featuring easy navigation as well as powerful advanced options. The interface provides forensic 
examiners both robust capabilities and an intuitive and elegant user experience throughout all 
phases of a digital forensic acquisition. 


With Digital Collector, you can accomplish these tasks. 


e Triage suspect computers and peripherals. 

e Acquire data from live, running computers. (You can acquire RAM and volatile data only from 
Mac computers.) 

e Select targeted data for collection. 

e Create forensic images of computers and peripherals. 


Digital Collector boots into a forensically sound environment on the Digital Collector device. You 
may also launch Digital Collector from your own analysis computer to acquire a connected 
device. 


On Mac computers, you should launch Digital Collector from an administrator account when 
possible, so that it runs with admin-level permissions. When you launch with an administrator 
password, Digital Collector runs with root privileges. 


This chapter provides these topics. 


e Intended Audience 

e Digital Collector Device 

e Product Registration 

e Accepting the Digital Collector End User License Agreement 
e Updating Digital Collector 

e Getting Support 
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Intended Audience 


Forensic software tools offered by Cellebrite are intended for use by law enforcement officials, 
private investigators, corporate security specialists, and other parties who investigate Mac- 
based and Windows-based computers devices for evidentiary data. 


Users of Cellebrite software should possess these core competencies. 


e Basic knowledge of and experience using Apple and Windows computers and their peripheral 
devices 

e Familiarity with macOS and Windows operating system environments 

e Knowledge and training in basic computer forensics policies and procedures 

e An understanding of forensic images and how to correctly acquire them 

e A fundamental understanding of how to preserve, acquire, authenticate, and analyze digital 
evidence, and how to report digital forensic investigation findings 


Digital Forensics Overview 


Forensics is preserving, acquiring, authenticating, analyzing, reporting, and managing digital 
evidence. Digital evidence includes data found on computer hard drives, external hard drives, 
CDs and DVDs, portable media such as USB thumb drives, Android devices, and iPod, iPhone, 
and iPad (iOS) devices. 


A digital forensic examination includes these basic steps. 


4. Preserve: Identify, secure, transport, and store the digital evidence [chain of custody). 
Acquire: Create a forensically sound image of the evidence. 

Authenticate: Confirm the forensic image is identical to the original (forensically sound). 
Analyze: Create a case and analyze the evidence using an appropriate software solution. 
Report: Thoroughly document the data investigation process and results of the analysis. 
Manage: Back up, archive, detach/attach, and restore cases and evidence as needed. 


Bo ot On OF 


Preserving and Acquiring Digital Forensic Evidence 


a digital forensic investigation. 


Digital evidence must be preserved in its original form to the greatest extent possible for it to be 
admissible during a legal proceeding. A forensic examiner must carefully preserve, acquire, and 
authenticate electronic data during their examination. Therefore, it is of the utmost importance 
to acquire electronic evidence in a way that ensures no changes are made to the original data 
during the acquisition process. 


A forensically sound image is a bit-by-bit image that is identical in every way to the original, 
including allocated, unallocated, and free space. 


Version 3.4 Introduction 


Preserving Evidence Using a Write-Blocker 


Some operating systems attempt to write to the hard drive or device containing original evidence 
during the acquisition process. A write-blocker stands between the forensic examiner's 
computer or hardware acquisition tool and the devices containing the original evidence. Write- 
blockers prevent evidence contamination during the acquisition process. 


These are the types of write-blockers. 


Hardware-Based Write-Blockers 


A hardware-based write-blocker is a hardware device that is placed with cables and port 
connections between the forensic examiner's computer and the device containing the original 
digital evidence. Hardware-based write-blockers allow one-way, read-only data transfer 
between the device containing the evidence and the forensic examiner's computer. If the forensic 
examiner's operating system tries to write to the device containing the original data, the write- 
blocker blocks the unwanted data transfer. 


Software-Based Write-Blockers 


Software-based write-blockers serve the same purpose as hardware-based write-blockers. 
Software-based write-blockers reside on either the forensic examiner's computer, or ona 
hardware acquisition tool. SoftBlock™, offered by Cellebrite, is an example of a software-based 
write-blocker that runs on the forensic examiner's computer. (SoftBlock runs on computers 
running macOS 10.15 and earlier.) Digital Collector, offered by Cellebrite, is a hardware 
acquisition tool that has a software-based write-blocker built in. 


A software-based write-blocker may be advantageous to a forensic examiner, as it may eliminate 
the need to purchase and carry expensive and cumbersome external hardware-based write- 
blockers. 


Using SoftBlock During a Live Acquisition 


A forensic examiner may need to acquire data from a machine while the machine is running, or 
live. Data collected during a live acquisition may be saved to a forensic image as needed. Live 
data may be acquired from hard drives or another electronic data source. 


During a live acquisition, the device containing the original evidence must remain connected to 
the forensic examiner's machine throughout the investigation. A write-blocker must be in place 
throughout the investigation as well. SoftBlock is an excellent software-based write-blocking 
solution for live data acquisitions. 
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Acquiring Digital Evidence 


A forensic image is a physical representation of the acquired device, even though it is saved as a 
file. Forensic images are static, meaning they remain the same even after you add them toa 
case. Forensic images may be backed up and stored for later use if necessary. 


A forensic examiner uses these types of tools to acquire digital evidence. 


Hardware Acquisition Tools: Hardware acquisition tools are physical devices used to 
collect digital evidence. They do not necessarily have a central processing unit (CPU), are 
self-contained, and may be hand-held. Digital Collector is an example of a hardware 
acquisition tool. Digital Collector can acquire a forensically sound image or collect data 
directly from a live source Mac or Windows computer (including RAM for macOS). 


Software Acquisition Tools: Software acquisition tools reside on a forensic examiner's 
computer. Software acquisition tools often allow a forensic examiner to choose the 
forensic image file format, compression level, and the size of the data segments at the 
time the acquisition is performed. Inspector, offered by Cellebrite, has a software 
acquisition tool built in for acquiring 10S and Android devices. 


Authentication and Hashing 


After you acquire a forensic image, you must authenticate it to confirm the image is an exact 
copy of the original. This is accomplished by hashing both the source and the acquired image. 
Hashing is the process, done by forensic software, of applying an algorithm (mathematical 
formula] to generate a value that uniquely identifies data. This value is usually expressed as a 
sequence of hexadecimal digits. If the hash value of the acquired forensic image matches the 
hash value of the original data, the forensic image and original data can be considered identical. 


Digital Collector and Inspector use these algorithms to generate hash values. 


e Message Digest 5 (MD5) 
e Secure Hash Algorithm 1 (SHA-1] 
e Secure Hash Algorithm 2, 256-bit length (SHA-256] 


Digital Collector Device 


The same Cellebrite Digital Collector device works for both Windows and Mac computers. The 
solid-state drive (SSD) is either 120 GB or 1 TB and is shipped with two cables, USB 3.0 and 
USB-C. The SSD has several partitions, some of which may be hidden, and some of which you 
must not interact with. 


Whether and how you see and interact with these partitions depends on if Digital Collector is 
running live or booted, if you're on a Mac or a Windows computer, and the manufacturer and 
BIOS for specific Windows computers. 
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These are the partitions you may interact with. 


Partition Description 


Name 
MacOS Contains the Digital Collector application to run on Mac computers. Also 
App contains these files: 


e Digital Collector EULA.txt 
e Digital Collector 3rd Party Licenses.txt 


WINDOWS | Contains the Digital Collector application to run on Windows computers. Also 
APP contains these files: 

e = Digital Collector EULA.txt 

e Digital Collector 3rd Party Licenses.txt 

e Digital Collector license file 

e com.cellebrite.DigitalCollector.settings 


DCData A storage partition formatted with exFAT. This best supports reading images on 
both the Mac and Windows platforms. 


(Cellebrite had previously discouraged exFAT because older versions of macOS 
had some problems with their exFAT implementations. In recent years those 
issues seem to have been fixed. If you do encounter issues, you can change the 
format of the DCData partition.) 

The DCData partition can be used as a destination drive during quick, smaller 
data collections. 

The size of the DCData partition is larger on the 1 TB SSD than on the 120 GB 
SSD. 

There are two ways to make space in the DCData partition for new collections. 


e Delete files within the partition using any computer that supports exFAT. 
e Use the Format Drive tool within Digital Collector to delete all the contents of 
the partition. 


There are also partitions you can use when you need to start (boot) Mac computers running 
operating systems older than macOS Sierra 10.12. 


If the collection is larger than the space available on the DCData partition, you must use an 
external storage device to serve as the destination. For more information, see Other Equipment. 
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Operating Systems 
A single Digital Collector solid state drive (SSD) can run on both the Mac and Windows platforms. 


Digital Collector will run on live Windows computers with 64-bit hardware running Windows 10, 
version 1909 and newer. It will start (forensically boot) Windows computers running Windows 10 
and may start older Windows operating systems. 


Digital Collector can run on live Mac computers and also start [forensically boot} Mac computers 
with these operating systems: 


e macOS Monterey 12 

e macOS Big Sur 11 

e macOS Catalina 10.15 

e macOS Mojave 10.14 

e macOS High Sierra 10.13 
e macOS Sierra 10.12 


Additional (legacy) boot partitions let you attempt to start Mac computers with operating systems 
including OS X El Capitan 10.11 and older. If a Mac computer cannot boot to the current version 
of Digital Collector, try again with the first additional boot partition. If necessary, attempt again 
with the remaining boot partitions in ascending numerical order. 


There are some constraints to be aware of in specific circumstance. For more information, see 
Imaging Considerations for macOS. 
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File Systems and Decryption 


Cellebrite Digital Collector supports decryption in these scenarios when you provide the correct 
credentials. 


Windows Computers 


Digital Collector can acquire an image of an encrypted disk on Windows. Digital Collector cannot 
decrypt data during imaging or unlock encrypted disks for data collection from Windows 
computers. 


If the encryption is a variant supported by Inspector, such as BitLocker, the image can be 
decrypted during Ingestion. 


Mac Computers 


Digital Collector supports decryption during imaging or for data collection from Mac computers 
using software or hardware encryption. 


Software encryption: 


e CoreStorage (HFS Plus) with FileVault 2 
e APFS with FileVault 2 


Hardware-assisted encryption: 


e M1 chip 
e 72 chip 


There are some constraints to be aware of in specific circumstance. For more information, see 
Imaging Considerations for macOS. 


Other Equipment 


You should be prepared to use Cellebrite Digital Collector under any circumstance and have 
other necessary equipment immediately available. 


The Digital Collector solid state drive (SSD) ships with a USB 3.0 cable and a USB-C cable. You 
will encounter a variety of Mac and Windows computers with different amounts and types of 
ports. The cables and types of connections required to connect source computers to your host 
computer depend on the platforms, the manufacturers, and the models. 


Therefore, you should equip yourself with an assortment of high-quality cables, adapters, and 
powered hubs to ensure that you can provide power to devices and can properly connect devices 
to each other. 


Before you connect a source computer to a host or analysis computer, you must have write 
blocking in place. This can be either a hardware-based write-blocker or a software-based write- 
blocking application that you install on your own host computer. Cellebrite offers SoftBlock™, 
which lets you choose to mount newly attached computers and hardware devices with read-only 
or read-write permissions. SoftBlock runs on computers running macOS 10.15 and earlier. 
(Hardware write blockers add a layer of complexity. The hardware write blocker must be 
considered when determining the cables and adapters required. If there are difficulties, the 
hardware write blocker itself as well as its connections present additional items for 
troubleshooting.) 
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The DCData volume on the Digital Collector SSD may not have enough available space to hold 
large images or data collections. Therefore, you should also have on hand external hard drives 
or SSDs in appropriate formats with sufficient capacity to serve as the destination. 


For starting [booting] source computers with Digital Collector, you should have wired keyboards 
that can connect to various Mac and Windows computers. This is because a wireless keyboard 
may not transmit keystrokes to the source computer in time to prevent it from booting to its 
internal operating system. 


Considerations for Mac Computers 


When you work with Mac hardware, genuine Apple cables and adapters are required. Off brand 
cables and adapters are not sufficiently reliable and capable. 


Target disk mode [TDM] is a Mac feature that essentially turns the computer into an external 
hard drive. The original purpose of TDM was file transfer. When you place a source computer in 
TDM, you can create an image of it with Digital Collector. When a source Mac computer is in 
TDM it will be written to when connected to another computer, which means write blocking is 
required. 


Older Mac computers require a FireWire connection to use the TDM interface. Newer Mac 
computers allow access with Thunderbolt and USB. For more information, see 
https://support.apple.com/en-us/HT 201462. In particular, the Apple USB-C TB3 cable is the 
most reliable for connecting a host computer with a USB-C port to a source computer in TDM. If 
the host computer has a Thunderbolt 2 port, the most reliable connection is the Apple TB cable 
and Apple TB3 to TB2 adapter. 


Note: TDM does not exist on M1 Mac computers. 


Product Registration 


Cellebrite Digital Collector product license registration occurs at the time of purchase and 
before the product is shipped. Each license is bound to a Digital Collector device. 


Subscriptions 


Each new Digital Collector product purchase includes a one-year license subscription. During 
this one-year subscription period, you have the right to download and install all Digital Collector 
updates and new releases. 


Please be sure to renew your product license subscriptions annually through your Cellebrite 
Sales Representative to continue receiving subscription benefits. 


You may view your current registration information, check for product updates, and download 
new product releases. For more information, see Getting Support. 
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Accepting the Digital Collector End User License 
Agreement 


Introduction 


To accept the End User License Agreement (EULA), you must launch Cellebrite Digital Collector. 
You can do this on any computer you wish, but it is most practical to do this on your own 
computer as soon as you receive the Digital Collector device. This topic assumes that you are 
using your own computer to accept the EULA, rather than a source computer, and that you have 
administrator credentials. 


Permanently Accept the EULA on a Windows Computer 


1. 


oa 


5: 


14 


Connect the Digital Collector SSD to a USB port on the computer. 
Ignore any prompts to scan or format the SSD. 

Use File Explorer see the WINDOWS APP partition. 

In the WINDOWS APP partition, double-click DigitalCollector.exe. 
Choose the appropriate action. 


e |f User Account Control [UAC] is not enabled, go to Step 5. 
e |f User Account Control (UAC) is enabled and the logged-in user: 


O 


G Digital Collector EULA o 


IMPORTANT: PLEASE READ THIS END USER LICENSE AGREEMENT CAREFULLY. DOWNLOADING, INSTALLING, ACCESSING OR USING 
\CELLEBRITE-SUPPLIED SOFTWARE (AS PART OF A PRODUCT OR STANDALONE) CONSTITUTES EXPRESS ACCEPTANCE OF THIS AGREEMENT. 
\CELLEBRITE IS WILLING TO LICENSE SOFTWARE TO YOU ONLY IF YOU ACCEPT ALL OF THE TERMS CONTAINED IN THIS AGREEMENT (THE 
|"EULA”), ANY ADDITIONAL TERMS IN AN AGREEMENT SIGNED BY BUYER (AS DEFINED BELOW) AND CELLEBRITE, AND ANY “CLICK-ACCEPT” 
AGREEMENT, AS APPLICABLE. TO THE EXTENT OF ANY CONFLICT AMONG THIS EULA, ANY ADDITIONAL TERMS IN AN AGREEMENT SIGNED 
IBY BUYER AND CELLEBRITE, ANY “CLICK-ACCEPT” AGREEMENT, ANY TERMS ON A PURCHASE ORDER AND CELLEBRITE'S TERMS AND 
ICONDITIONS OF SALE, THE ORDER OF PRECEDENCE SHALL BE (A) AN AGREEMENT SIGNED BY BUYER AND CELLEBRITE; (B) THIS EULA; (C) 
[THE “CLICK-ACCEPT” AGREEMENT; (D) CELLEBRITE'S TERMS AND CONDITIONS OF SALE; AND (E) BUYER'S PURCHASE ORDER, TO THE EXTENT 
ISUCH TERMS ARE PERMISSIBLE UNDER CELLEBRITE'S TERMS AND CONDITIONS OF SALE OR AN AGREEMENT SIGNED BY BUYER AND 
\CELLEBRITE (COLLECTIVELY, (A)-(E), AFTER APPLYING THE ORDER OF PRECEDENCE, THE “AGREEMENT"). 


IBY DOWNLOADING, INSTALLING, ACCESSING, OR USING THE SOFTWARE, USING THE PRODUCT OR OTHERWISE EXPRESSING YOUR 
[AGREEMENT TO THE TERMS CONTAINED IN THE AGREEMENT, YOU INDIVIDUALLY AND ON BEHALF OF THE BUSINESS OR OTHER 
ORGANIZATION THAT YOU REPRESENT (THE “BUYER”) EXPRESSLY CONSENT TO BE BOUND BY THIS AGREEMENT. IF YOU DO NOT OR 
|CANNOT AGREE TO THE TERMS CONTAINED IN THE AGREEMENT, THEN (A) DO NOT DOWNLOAD, INSTALL, ACCESS, OR USE ANY SOFTWARE 
(OR, AS APPLICABLE, ANY PRODUCT IN WHICH ANY SOFTWARE IS EMBEDDED), AND (B) WITHIN THIRTY (30) DAYS AFTER RECEIPT OF ANY 
ISOFTWARE (OR, IF AN AGREEMENT BETWEEN BUYER AND CELLEBRITE PROVIDES A SHORTER TIME PERIOD FOR ACCEPTANCE, SUCH 
ISHORTER TIME PERIOD FOR ACCEPTANCE), EITHER RETURN SUCH SOFTWARE TO CELLEBRITE OR TO THE APPLICABLE AUTHORIZED 
RESELLER FOR FULL REFUND OF THE SOFTWARE LICENSE FEE, OR, IF SUCH SOFTWARE IS EMBEDDED IN A PRODUCT FOR WHICH NO 
ISEPARATE SOFTWARE LICENSE FEE WAS CHARGED, RETURN SUCH PRODUCT AND EMBEDDED SOFTWARE, UNUSED, TO CELLEBRITE OR TO 
|THE APPLICABLE AUTHORIZED RESELLER FOR A FULL REFUND OF THE LICENSE FEE PAID FOR THE APPLICABLE SOFTWARE EMBEDDED IN 
ISUCH PRODUCT. YOUR RIGHT TO RETURN AND REFUND ONLY APPLIES IF YOU ARE THE ORIGINAL END USER PURCHASER OF SUCH PRODUCT 
[AND/OR LICENSEE OF SUCH SOFTWARE. 


[This EULA governs Buyer's access to and use of any Software and/or any Product (as defined below) first placed in use by Buyer on or after the 
release date of this EULA (the “Release Date’). 


1. DEFINITIONS — In this Agreement, the following capitalized terms shall have the meaning set forth below: 


|" Affiliate” of a party means such party's parent corporation, an entity under the control of such party's parent corporation at any tier or an entity 
controlled by such party at any tier. For these purposes, “control” shall mean the power to direct or cause the direction of the management and 
\policies of the entity, whether through the ownership of more than 50% of the outstanding voting interests in such entity or otherwise. 


ors ee REAP P TE OEN SERET, ae Y SRE eT E ere 


Disagree Agree 


has administrative permissions, click Yes. The Digital Collector End User License 
Agreement (EULA) window appears. 
does not have administrative permissions, enter an administrator password, clicking 
More Choices if necessary to see all the user accounts for this computer. The Digital 
Collector End User License Agreement [EULA] window appears. 


In the lower left corner of the Digital Collector EULA window, mark the Permanently Accept 
checkbox, and then click Agree. 


The Digital Collector window appears. 
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Permanently Accept the EULA on a Mac Computer 


1. Connect the Digital Collector SSD to a USB port on the computer. 

2. Use Finder to browse to the MacOS App partition on the SSD, and then double-click 
DigitalCollector.app. 

3. Provide login credentials for your administrative user account. 

4. Type your credentials in the User Name and Password fields, and then click Install Helper. 
The Digital Collector End User License Agreement (EULA) window appears. 

5. Inthe lower left corner of the Digital Collector EULA window, mark the Permanently Accept 
checkbox, and then click Agree. 
The Digital Collector window appears. 


Updating Digital Collector 


Cellebrite Digital Collector solid state drives (SSD) ship with the most recent Digital Collector 
software version. Nonetheless, you should check for software updates the first time the software 
is launched, and periodically thereafter to ensure the software remains up to date. The Check for 
Updates feature requires an active Internet connection. 


You can update the Digital Collector SSD on either a Mac or a Windows computer. 


e Update Digital Collector on Mac Computers 
e Update Digital Collector on Windows Computers 
e Troubleshooting the Cellebrite Digital Collector Updater 


As of version 3.3, the Digital Collector updater app formats the DCData partition as exFAT. 
The updater app runs on these operating systems: 


e macOS 10.14.3 and newer 
e Windows 10 only, v 1909 or newer 


Receive Product Announcements 


The Cellebrite Customer Support team sends product update notices by email to customers who 
choose to receive future product announcements. These notices often include a direct download 
link for the latest software version. 


To receive Digital Collector product update notices by email, please send an email to 
support(dcellebrite.com. The subject line must be “Cellebrite Digital Collector Product 
Information Opt-in Request”. Also include your name lor organization name] and additional 
contact information in the email body. 
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Update Digital Collector on Mac Computers 


You must check for updates and then download the updater before you run the update process 
for the Cellebrite Digital Collector solid state drive (SSD). As of version 3.3, the Digital Collector 
updater app formats the DCData partition as exFAT. 


Check for Updates 


1. In the Digital Collector menu bar, click Digital Collector > Check for Updates. 

2. Log into the Cellebrite Customer Community. 

3. Ifa newer Digital Collector software version is available, the Software Update window shows 
this message: An Update was found. 

4. Choose one of these actions. 


e To skip the update and dismiss the Software Update window, click Skip This Version. 

e To temporarily dismiss the Software Update window, click Remind Me Later. 

e To download the Digital Collector Updater, click Download Update and follow the 
prompts. 


Update Digital Collector 
You must update the Digital Collector SSD to update the Digital Collector software. 


Warning: Do not disconnect the Digital Collector SSD from the computer until the update 
process is complete. Doing so may render the device unusable. 


1. After you check for updates and download the Digital Collector Updater archive file, extract 
the update from the archive. 
2. Select the extracted folder. The Digital Collector Updater window appears. 


Digital Collector Updater 


Information 


3. Double-click the Digital Collector Updater icon, and then provide administrator credentials to 
allow the updater to run with root privileges. 

4. Click Install Helper. 
If more than one USB device is detected on the computer, you see a message confirming that 
only the active Digital Collector SSD is listed in the updater device list. 
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5. The Digital Collector Updater window appears, and the Digital Collector SSD is automatically 


6. 


selected in the Digital Collector Updater window. 


© o Digital Collector Updater 


+ Digital Collector Software Update 
a Click 'Update Now’ to update the Digital Collector software on the selected USB device. 


Click ‘Later’ if you don't wish to update at this time. 


A disk2 - BBAA000000000002824 - <no name> - <no email> - expires 2021-02-12 


Maximize Data Partition Later Update Now 


Click Update Now to begin the update process. 


Update Digital Collector on Windows Computers 


You must first check for and then download the updater before you run the update process for 
the Cellebrite Digital Collector solid state drive (SSD). As of version 3.3, the Digital Collector 
updater app formats the DCData partition as exFAT. 


Check for Updates 


1. 
2. 
3. 


In the Digital Collector menu bar, click Help > Check for Updates. 

Log in to the Cellebrite Customer Community. 

If a newer Digital Collector software version is available, the Software Update window shows 
this message: An Update was found. 

Choose one of these actions. 


e [o skipthe update and dismiss the Software Update window, click Skip This Version. 

e [o temporarily dismiss the Software Update window, click Remind Me Later. 

e [o download the Digital Collector Updater, click Download Update and follow the 
prompts. 
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Update Digital Collector 


You must update the Digital Collector SSD to update the Digital Collector software. 


1. After you check for updates and download the Digital Collector Updater archive file, extract 
files from the archive. 


4» [T > Digital Collector Updater vo Search Digital Coll 
Name j Date modified Type Size 
E] Digital Collector Updater Libs 12/10/2020 4:50 PM File folder 
|_| Digital Collector Updater Resources k File folder 
| | Helpers File folder 
&@ Digital Collector Updater.exe Application 4,392 KB 
[E] icudt65.ail 7 Application exten... 27,325 KB 
[E] icuinés.ait Application exten... 2,514 KB 
E icuucé5.dil Application exten. 1,773 KB 
[E msvep120.dit Application exten... 645 KB 
[E] msvcp140.dll Application exten.. 625 KB 
E msver120.dll Application exten. 941 KB 
E vecortib140.dil Application exten 387 KB 
[E] veruntimet40.dil Application exten. 88 KB 
[E] XojoGUIFramework64.dll Application exten, 4,160 KB 
1Bitems 1 item selected 4.28 MB == 


2. Inthe extracted Digital Collector Updater folder, double-click Digital Collector Updater.exe. 
The Digital Collector Updater window appears. 


G Digital Collector Updater x 
File Edit 
Digital Collector Software Update 


+ 
c: Click ‘Update Now’ to update the Digital Collector software on the selected USB device. Click 
‘Later’ if you don't wish to update at this time. 


[F 3 - 2844000000000 40 I - ><i 2021-12-01 


[Z] Maximize Data Partition later | Update Now 


3. Click Update Now. 
The update for Digital Collector is installed. 


& Digital Collector Updater 


File Edit 


+ Digital Collector Software Update 
£: Click 'Update Now' to update the Digital Collector software on the selected USB device. Click 
‘Later’ if you don't wish to update at this time. 


m 4 Installing Digital Collector Update... 
+ Wrote 1.7 GB (24.34%) 


Estimated time remaining: 1 minute 


[Z] Maximize Data Partition later | 
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Troubleshooting the Cellebrite Digital Collector Updater 


With the help of these topics, you may be able to troubleshoot these specific issues yourself. If 
you experience difficulties during the update process, contact support(dcellebrite.com. 


Digital Collector Mounted with Read-only Permissions 


The Digital Collector SSD may mount with read-only permissions on computers with SoftBlock™ 
installed if the Digital Collector device was attached to the computer when it was started or 
restarted. 


If the Digital Collector SSD mounts with read-only permissions, the Digital Collector Updater 
window shows this text in red: [READ ONLY]. 


Unmount the Digital Collector SSD and remount it with Read-Write permissions. The Digital 
Collector Updater should then run normally. For more information, see Mount Device Tool. 


License File Restore Error 


If the Digital Collector Updater fails to restore the license file to the Digital Collector SSD, you 
can manually restore the license file from its backup. 


1. To find a Digital Collector license file backup, click Reveal License File. 
This file has this extension: .BBTLicense 


e Ona Mac computer, a Finder window opens and displays the license backup file. 


Ba Applications > B Apple > B App Store > ES DigitalCollector >» | Dongles > B BBAAO000' D BBTLicense 
B Library > (©) Application Support > B BBAAO0O! B cache 
jio 


E BBAA0000i E  com.cellebrite...llector.settings 


> 
» 


Bi APPLE SSDee > i} Library > lm Applicat Cellebrite > IB DigitalCollector > ffm Dongles > lim BBAAOOO0% > BBTLicense 


e Ona Windows computer, a File Explorer window opens and displays the license backup 
file. 


2. Drag and drop the backup file to the mounted Digital Collector device into the WINDOWS APP 
partition. 
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Getting Support 


Before you contact technical support or your Sales Representative, you must get the ID for your 
Digital Collector SSD from the Preferences window. For more information, see Getting 
Information About a Digital Collector Device. 


You can log in to your account in the MyCellebrite portal at https://community.cellebrite.com, 
which provides access to resources and support. 


e Keep your products updated. 

e Contact Support or review the knowledgebase. 
e Download user manuals and data sheets. 

e Manage your product licenses. 

e Get expert assistance. 


You can also send an email to technical support at support(dcellebrite.com. 


These technical publications are available for download. 


e Cellebrite Digital Collector Release Notes 
e § Cellebrite Digital Collector Quick Start Guide 
e Cellebrite Digital Collector User Guide 


Getting Information About a Digital Collector Device 


On the About Digital Collector window, you can find this information about your Cellebrite Digital 
Collector solid state drive (SSD). 


Version The version of Cellebrite Digital Collector on this SSD 


Build The specific build identification number for this version of Digital Collector 


ete Cem ieMm The identification number for this Digital Collector SSD 


You must have this ID before you contact Technical Support. 


SAELE | he date when the license subscription contract expires. Digital Collector stops 
functioning after the subscription expires. 
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Open the About Digital Collector Window on a Mac Computer 


In the menu bar, click Digital Collector > About Digital Collector. 
© About Digital Collector 


DIGITAL COLLECTOR 


Version: 3.1 $ 


Build: 20201209.025711-4ec86bd 


Expiration: 2021-12-04 


Aline : Ro ae 4 
*.- Cellebrite ees 


Company Cellebrite 
Web Page www.cellebrite.com 


Support community.cellebrite.com 


Copyright © 2010-2021 Cellebrite. All Rights Reserved 


Open the About Digital Collector Window on a Windows Computer 
In the menu bar, click Help > About Digital Collector. 
aaea 


DIGMAL COLLECTOR 


Version: 31 + 


Build: 20201204.185800-5c295ee 
Dongle ID: ae 


Expiration: 2021-10-09 


octet Se : 
. i Digital intell 
s Cellebrite Ptr" 


Company Cellebrite 
Web Page www.cellebrite.com 


Support community.cellebrite.com 


Copyright © 2010-2021 Cellebrite. All Rights Reserved 
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Workspace Orientation 


You should understand these main parts and capabilities of the Digital Collector interface. 


Menu Bar 

Toolbar 

Views 

Refresh the Device List 

Setting Preferences on a Mac Computer 
Setting Preferences on a Windows Computer 


Menu Bar 


The menu bar in Cellebrite Digital Collector is located at the top of the screen on a Mac 
computer and at the top of the application window on a Windows computer. The menu bar has 
these options. 


Option Mac Windows Topic 

Digital Collector V Digital Collector Menu 

File V V File Menu 

Edit v V Edit Menu 

Action V V Action Menu 

Templates V V Templates Menu 

Window V V Window Menu 

Help V V Help Menu 
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Digital Collector Menu 


The Digital Collector menu is available only on Mac computers. 


In the menu bar, click Digital Collector, and then click the appropriate action. 


Option Description 


About 


Version, device ID, license expiration, and contact information for Digital 
Collector. 


For more information, see these topics: 


e Getting Support 
e Getting Information About a Digital Collector Device 


Check for Updates 


Check to see if there is a newer version of Digital Collector. 


For more information, see Updating Digital Collector. 


Preferences Open the Digital Collector Preferences dialog box. 
For more information, see Setting Preferences on a Mac Computer. 
Hide Digital Hide Digital Collector. 
Collector 
Hide Others Hide all applications except Digital Collector. 
Quit Digital Stop and exit Digital Collector. 
Collector 
File Menu 
In the menu bar, click File and then click the appropriate option. 
Option Description Mac | Windows 
Close Close the current window. vV vV 
Refresh Device List | Force the device list to refresh. vV v 


For more information, see Refresh the Device List. 


Exit 


Stop and exit Digital Collector. vV 
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Edit Menu 
In the menu bar, click Edit and then click the appropriate option. 
Option Description Mac | Windows 
Undo Undo the previous action. JV 
Cut Cut the current selection. vV vV 
Copy Copy the current selection. v v 
Paste Paste the selection previously cut or copied. v vV 
Delete Delete the current selection. V vV 
Select All Select all items. vV vV 
Deselect All | Deselect all items. v vV 
Preferences | Open the Digital Collector Preferences dialog box. vV 
For more information, see Setting Preferences on a Windows 
Computer. 


Action Menu 


In the menu bar, click Action and then click the appropriate option. 


Description Windows 
Add selected items to | Add the currently selected item or items to the vV vV 
collection collection. 


The Action menu is active only on the Browser and 
Search views in Digital Collector. 
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Templates Menu 


In the Menu bar, click Templates and then click the appropriate option. 


Option Description Mac | Windows 
Apply Collection Select collection templates to apply for collecting | V JV 
Template data from the source computer. 

For more information, see Apply a Collection 

Template. 
Configure Collection Create, change, and delete collection templates. | V JV 
Templates For more information, see Create and Manage 


Collection Templates. 


Save Current Selections | Save the current selections on the Collection J vV 
As Template view as a collection template. 

For more information, see Save Current 
Selections as Template. 


Configure Custom File Create and manage custom file filters to use vV vV 
Filters when selecting items to collect. 

For more information, see Create and Manage 
Custom File Filters. 


For more information, see Custom File Filters and Collection Templates. 


Window Menu 


In the menu bar, click Window and then click the appropriate option. 


Option Description Mac | Windows 


Activity Opens the Activity window. v v 
For more information, see Activity Window. 
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Help Menu 


In the menu bar, click Help, and then click the appropriate option. 


Workspace Orientation 


Option Description Mac | Windows 
User Guide Open the User Guide for Cellebrite Digital Collector. vV vV 
Cellebrite Website | Open the Cellebrite homepage in a web browser. v vV 
Digital Collector Provide feedback to Cellebrite via email. vV vV 
Feedback 
Technical Support | Open the Cellebrite website technical support page in | V vV 

a web browser. 
About Digital Version, device ID, license expiration, and contact J 
Collector information for Digital Collector. 

For more information, see these topics: 

e Getting Support 

e Getting Information About a Digital Collector 

Device 

Check for Updates | Check to see if there is a newer version of Digital v 

Collector. 

For more information, see Updating Digital Collector. 
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The toolbar lets you open views in Cellebrite Digital Collector. 


Button Description 


Case Details 


Opens the Case Details view, where you can provide information to identify a case 
and the examiner. You can also adjust the date and time zone of timestamps for 
acquisition log files and reporting purposes. Source data (potential evidence) is not 
modified. 


á 


Opens the Browser view, where you can navigate through the file systems of the 


Browser | connected devices. 
Q Opens the Search view, where you can use robust tools to determine whether a 
Search connected device contains information of interest. 
ra Opens the Collection view, where you can strategically acquire targeted files, 
Collection | folders, and system data from a source device, rather than creating a full bit-by-bit 


forensic image. 


Opens the Image view, where you can acquire a bit-by-bit forensic image of a 


Image device, or image a partition or slice. 
A Opens the Tools view, where you can use a Set of tools useful for advanced 
Tools forensic examiners. 

Views 


These are the views in Cellebrite Digital Collector. 


e Case Details View 


e Browser View 
e = Search View 
e Collection View 


e Image View 
e Views of System Volume and Data Volume on Mac Computers 


e Tools View 
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Case Details View 
The Case Details view lets you manage information about the case and the examiner. 


On the Cellebrite Digital Collector toolbar, click Case Details. The Case Details view appears. 


Case Wentification: Display Time Zone 


Case Name [T || For display, logs and reporting wee 


Tase Number/D: Amesica/Denver 


‘Current machine time: 
2020-12-08 09:37:28 (MST) 


Location: 
Erbit ID/Evidence 4: 
Description 

Examiner Information 
Examener, 
Agency/Company, 
SecticeyDepartment: 


Comments 


On the left side of the Case Details view, type the necessary information in the fields for Case 
Identification and Examiner Information. 


In the Comments field, type any additional information about the acquisition. 


By default, acquisition log files record date and timestamps according to the host or analysis 
machine's system date and time settings. To adjust the display time zone, select the appropriate 
time zone. This is strictly for logging and reporting purposes. Source data (potential evidence) is 
not modified. 


Browser View 


The Browser view in Cellebrite Digital Collector allows you to navigate through the file systems 
of connected devices. You can also select files and folders and add them to the set of data to be 
collected. 


In the toolbar, click Browser to see the connected volumes. 


> w 
Neme Date Created Date Modified Date Accessed 
1994-01-01 00:00:00 (MST) 1904-01-01 00:00:00 (MST) 


tad 
è g 1904-01-01 00:00:00 MST) 1904-01-01 00:00:00 (MST) 


< 
¢ 


In the Browser view, you can navigate through the directory structure of connected devices. 
When you Select a file, a preview appears on the right side along with file metadata. 
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<|> ma 


Name Oste Created Date Modified Date Accessed 
E E Comacts 2020-10-05 090353 (MDT) 2020-12-07 123008 (MST) 2020-10-05 090%} ^ 
5} Cookes 2020-10-05 090352 MOT) 2020-10-05 020252 (MOT) 2020-10-05 020} 
E MB Desktop 2020-10-05 090352 (MDT) 2020-12-07 16:00:36 (MST) 2020-12-07 160% 
Documents 2020-10-05 090352 (MDT) 2020-12-07 155955 (MST) 2020-12-07 1555 
H $ Downloads 2020-10-05 090352 (MDT) 2020-12-07 1545:21 (MST) 2020-12-07 15:45: 
E T Favorites 2020-10-05 099352 (MDT) 2020-12-07 123006 (MST) 2020-10-05 090} 
E | intelGraphicsProfiles 2020-10-05 090352 (MDT) 2020-12-07 17:0409 (MST) 2020-12-07 1704 
E P Links 2020-10-05 090352 (MDT) 2020-12-07 123009 (MST) 2020-10-05 020% 
Ð F Local Settings 2020-10-05 090352 MOT) 2020-10-05 020352 (MOT) 2020-10-05 0703 
E | MirosohEdgeBackups 2020-10-05 090505 (MDT) 2020-10-05 0205:05 (MOT) 2020-10-05 0205: 
E P Music 2020-10-05 090352 (MOT) 2020-12-07 133009 (MST) 2020-10-05 0903 
# My Documents: 2020-10-05 090352 (MDT) 2020-10-05 020352 (MOT) 2020-10-05 020} 
Hy NetHood 2020-10-05 090352 (MDT) 2020-10-05 080352 (MOT) 2020-10-05 090% 
NTUSERDAT 2020-10-08 090352 (MDT) 2020-12-07 17:31:38 (MST) 2020-12-07 17:31: 
ntuserdatlOGt 2020-10-05 090352 (MDT) 2020-10-05 020352 (MOT) 2020-10-05 090% 
ntuserdattOG? 2020-10-05 090352 MOT) 2020-10-05 090352 (MOT) 2020-10-05 ORR 


NTUSER.DAT|4a8f0a25-7ce6-11e 2020-10-05 090352 (MDT) 2020-10-05 0%0%15 (MOT) 2020-10-05 030% 
NTUSER DAT/4a810a25-7de6-11¢ 2020-10-05 090352 (MDT) 2020-10-05 020252 (MOT) 2020-10-05 OOR! 
NITUSER.DAT|4a8t0a25-7de6-11¢ 2020-10-05 090352 (MDT) 2020-10-05 020352 (MOT) 2020-10-05 0202! 


R ntuseris 2020-10-05 090352 (MDF) 2020-10-05 020352 (MOT) 2020-10-05 OS: Feio Vaie 
E) @ OneDrive 2020-10-05 090550 (MOT) 2020-12-07 123050 (MST) 2020-10-05 0x05: Name smowflake.ong 
3 E Pieres 2020-10-05 090352 (MDT) 2020-12-07 1401-30 (MST) 2020-12-07 1401:04 Path: CAUsershadiz Pictures| snowflake png 
B T Camera Roll 2020-10-21 0843:14 MDT) 2020-10-21 084314 (MOT) 2020-10-21 ORS Extension png 
kl desktopini 2020-10-05 090353 (MDT) 2020-12-07 123006 (MST) 2020-12-07 1230 Size 331.1 K8 


IMG _2017 1023, 184427134_HD 2020-10-05 103521 (MDT) 2020-10-06 103522 (MOT) 2020-10-06 10350 Chad Count O 

IMG_20190813_081127249jog 2020-10-05 17:1339 (MDT) 2020-10-05 17:1340 (MOT) 2020-10-05 17:13) Date Crestet 2020-11-11 16:41:48 (MST) 
IMG_20209005_125226102sog 2020-10-05 14:18:12 (MDT) 2020-10-05 141812 (MOT) 2020-10-05 1418] Date Modifi. 2020-11-11 1641:48 (MST) 
IMG_20201019_115747380jpg 2020-10-19 120203 (MDT) 2020-10-19 120204 (MOT) 2020-10-19 1209) Date Access_ 2020-11-11 16:41:48 (MST) 


mac-browser_tight png 2020-12-02 15:1055 (MST) 2020-12-02 151855 (MST) 2020-12-02 1518 Directors False 
| Saved Picwres 2020-10-21 0843:14 MOT) 2020-12-07 1401-30 (MST) 2020-12-07 14:01: ‘Visible Tue 
deskpag 2020-10-16 1637:13 (MDT) 2020-10-16 1637:15 (MOT) 2020-10-16 16:37:99 Locked: False 
a desktopini 2020-10-21 0843:14 MDT) 2020-10-21 084314 (MOT) 2020-10-21 0&4} Owner: 
office. pag 2020-10-16 1659:11 (MDT) 2020-10-16 165912 (MOT) 2020-10-16 16524 Group: 
snowflake blue pag 2020-11-11 T6424 (MST) 2020-11-11 164424 (MST) 2020-11-11 164k Permissions: O 
snowflake red & green! 2020-11-11 164309 (MST) 2020-11-11 14310 (MST) 2020-11-11 1643: 
By PrintHood 2020-10-05 090352 (MDT) 2020-10-05 OR0R52 (MOT) 2020-10-05 OOF: 
H p>) Recent 2020-10-05 09:0352 (MDT) 2020-10-05 020352 (MOT) 2020-10-05 020% 
T a Saari Games 2020-19-95, 090352 (MNT ININ-12-7 TRANNO ST) INAN- E Y 
< > 


EŒ CAWsersneiaiz,Pictures\SNOWFL-3.9NG 


On Mac computers, you can see file previews for file types supported by QuickLook, such as 
pictures, videos, MS office files, .pdfs, and more. 


On Windows computers, you can see file previews for image file types, such as .Jpg, .png, .gif, 
and more. You can also see previews for MS Office files. 


For image files only, above the preview pane you can toggle between viewing scaled to fit the 
preview pane or viewing full sized. 


On Mac computers with FileVault 2, the encrypted volume is already unlocked if the computer is 
running. If the computer is not running, you must first mount it and then unlock the FileVault 2 
encrypted volume with a user account password, a recovery key, or keychain file if you are an 
Enterprise user. For more information, see Mount Device Tool and Unlocking and Imaging 
CoreStorage FileVault 2 Volumes. 


If you are examining a computer running on macOS 10.15 or later, see Views of System Volume 
and Data Volume on Mac Computers. 
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Workspace Orientation 


From the Browser view, you can add files and folders to the set of data to be collected. You can 
add files and folders one at a time or in groups. Use normal operating system procedures to 
select files and folders individually or sequentially, then open the context menu [right-click a 
selected item] and click Add Selected Items to Collection. 


<> i 
Name Date Created 
E $ Downloads 2020-10-05 090352 (MDT) 
5 T Favorites 2020-10-05 090352 MDT) 
D l ImtelGraphicsPronies 2020-10-05 090352 MOT) 
P Links 2020-10-05 0903:52 (MDT) 
Wy Local Settings 2020-10-05 09:03:52 (MOT) 
H  MicroscttEdgeBackups 2020-10-05 09:05:05 (MDT) 
E J Music 2020-10-05 090352 (MDT) 
5 Fi My Documents 2020-10-05 090352 MOT) 
By Nethood 2020-10-05 09:03:52 (MDT) 
L) NTUSERDAT 2020-10-05 090352 (MDT) 
L ntusersdattOGt 2020-10-05 090352 (MDT) 
|] ntusergattOG? 2020-10-05 090352 (MDT) 


NTUSER.DAT|4aBI0a2S-7de6-11¢ 2020-10-05 090352 (MOT) 
1] NTUSERDATI4a80a25-7de6-1 1e 2020-10-05 090352 (MDT) 
L. NTUSER.DAT/4aBI0a25-7oe6-11¢ 2020-10-05 09:0352 (MDT) 


R] ntuserini 2020-10-05 090352 (MDT) 
E @ OneDrive 2020-10-05 09:0550 (MDT) 
E E Pictures 2020-10-05 090352 MOT) 


B © Camera Roll 2020-10-21 0843:14 (MDT) 


|.) desk peg 2020-10-16 1637:13 (MOT) 

£ jni 2020-10-21 0843:14 

| Snowilake red & green. 2020-11-11 164309 
if! ph PrintHood 2020-10-05 090352 (MDT) 
E FD Recent 2020-10-05 090352 (MDT) 
E Saeed Games 2020-10-05 09:0352 (MDT) 
E P Seseches 2020-10-05 090353 (MDT) 
DF sedo 2020-10-05 090352 (MDT) 
Sy Start Menu 2020-10-05 09-0352 (MDT) 
Hy Tormevianee PORN. 1-95, NINIS MINTY 


t 
E Csensiheidizi Picture IMG 20-1 PG 


Date Modified Date Accessed 
2020-12-07 154521 (MST) 2020-12-07 184 ^ 
2020-12-07 123006 (MST) 2020-10-05 020% 
2020-12-07 170409 (M5T) 2020-12-07 17:94 
2020-12-07 123009 (MST) 2020-10-05 020} 
2020-10-05 020352 (MOT) 2020-10-05 090% 
2020-10-05 020505 (MOT) 2020-10-05 090% 
2020-12-07 123009 (MST) 2020-10-05 020%} 
2020-10-05 00352 (MOT) 2020-10-05 020} 
2020-10-05 020252 (MOT) 2020-10-05 020} 
2020-12-07 17:31:38 (MST) 2020-12-07 17:31: 
2020-10-05 020252 (MOT) 2020-10-05 020} 
2020-10-05 090352 (MOT) 2020-10-05 020% 
2020-10-05 020915 (MOT) 2020-10-05 020% 
2020-10-05 020252 (MOT) 2020-10-05 090} 
2020-10-05 020252 (MOT) 2020-10-05 OHO 
2020-10-05 020352 (MOT) 2020-10-05 020% 
2020-12-07 133050 (MST) 2020-10-05 0905: 
2020-12-07 1401:30 (MST) 2020-12-07 1401: 
2020-10-21 084214 (MOT) 2020-10-21 O84 
h` desktop ini 2020- 10-05 090353 2020-12-07 133008 2020-12-07 1330 | Field 
[3 imG.20190813_0 _ Add Selected Items to Colection ap AASAD (MOT) 2020-10-05 17:1} Path: 
i 


IMG_20201005_125226102Jpg 2020-10-05 14:18:12 (MOT) 2020-10-05 141812 (MOT) 2020-10-05 1418 


2020-10-16 163715 (MOT) 2020-10-16 1637: 


Vane 


AG 2017 1023_184427134 HORpg 
C\Users\yneicti2\Pictures\IMG_2017902.. 


| IMG _20201019_115747380jog 2020-10-19 120203 (MDT) 2020-10-19 120204 (MOT) 2020-10-19 120% Se R47 KB 
|) mac-browser tight, pag 2020-12-02 15:1855 (MST) 2020-12-02 15:1855 (MST) 2020-12-02 1518 Chad Count’ O 
3 | Saved Pictures 2020-10-21 0043:14 (MOT) 2020-12-07 1401-30 (MST) 2020-12-07 14901: Date Created 2020-10-06 1035:21 (MOT) 


Date Modifi. 2020-10-06 103522 (MDT) 


2020-10-21 084314 (MOT) 2020-10-21 0643 Date Access- 2020-10-06 10.3522 (MOT) 
Directory False 


2020-11-11 164210 (MST) 2020-11-11 164} | Locked: 


2020-10-05 020352 (MOT) 2020-10-05 020% Group: 


2020-10-05 020352 (MOT) 2020-10-05 Cr: Permissions: O 

2020-12-07 123009 (MST) 2020-10-05 ORO: 

2020-12-07 123009 (MST) 2020-10-05 O04: 

2020-10-05 020352 (MOT) 2020-10-05 090} 

2020-10-05 020252 (MOT) 2020-10-05 0803: 

2799-19.95 NNSA INN- INE P Z 
> 


Files added to the collection this way appear in the ADDITIONAL FILES section of the list on the 
Collection view. For added folders, the contents of the folder are listed in Collection Summary 
when a folder is selected in the ADDITIONAL FILES section. 


tr SYSTEM DATA 

User Fites 

SYST 

E ADDITIONAL iSelect Files.) 
G20171023, 184427134_HDR jog ae © 
office, amo © 
smowflake blue png aak © 

EALO EEC 
e 


Colection Summary 
C\Users\herdi\Desktop\temp\ Browser - 1.pag 


CAUsehhekiNDesttopitemp Browser AddSelected pag 
CAUsers\heid\Desktop\teme)\ Browser AddSelect 2.99 


(C\uners\heni\Desktop\temp\Collection - 1.png 
CAEN Destoptemgiimage - 109 


CAUsersihekiN Desktoptempi Screen Shot 2020-02-10 at 10.29.14 PM.png 


« 


Destinations 


Collection Size: 31GB 


Format LOT 


‘Segenert Sze No Segments 


Hashes ]MD5 
EsHar 


OsHazsé 


Set 


For more information, see Selecting Additional Files and Folders. 
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Search View 


You can use the Search view in Cellebrite Digital Collector to determine whether a connected 
device contains information of interest. If no items are returned from searches, further 
processing of the device may not be necessary. 


In the toolbar, click Search. 


akon J} Count Name Date Created 


C Search Binary Files [C] Search Documents 


eset [Search] 
0 Fate(s) Found 


< 
e | 


The Search view allows you to search for data based one or more of these criteria. 


e Location - Volume or specific path 
e Name - Filename using these operators 
o contains 
o does not contain 
o exact match 
e Extension - File extension using these operators 
o is 
o isnot 
e File Size - File size using these operators. You can specify the file size to search for in KB, 
MB, or GB. 
o greater than 
o less than 
o between 
e Date - Choose Date Created, Date Modified, or Date Accessed, then choose an operator and 
set the dates be typing, using the arrows, or selecting from the calendar. 
o is between 
o is before 
o isafter 
o is exactly 
e Content - Search for files containing content you specify. You can search data within binary 
files, documents, or both. If both binary files and documents are selected, the search time 
increases, sometimes significantly. 


You can combine multiple search criteria to create a more complex search, filtering down to 
items that are relevant to the investigation. 
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Workspace Orientation 


When you select a file from the search results, a preview appears on the right side along with file 
metadata. 


(CAUsers\hesdiz (hesdiz) 


Name 
contains ~ 
[img 


C Search Binary Files [C] Search Documents 


9 File(s) Found 


Reset | [Search] 


È CAlkersheidizi Pictures IMG 20-1 IPG 


glod 14422. acentoprodiong SbeSe. 
globa. 14422 acentoprodimg Joes- 
global 54005 acemoprodimg.ceSta_ 
Glob. 207SB.acemapeoding Atad2 
lobat 40455 scentopradimg }f4ciS_ 


1 | | iMG_20190813_081127249)pq 


IMG _20201005_125226102jpq 
IMG_20201019_115747380jp9 


© Date Created 


Date Modified! 
2020-12-07 153503 (M. 2020-12-07 15: 
2020-12-07 153503 (M. 2020-12-07 15 
2020-12-07 153503 (M. 2020-12-07 1% 
2020-12-07 153503 (M. 2020-12-07 15: 
2020-12-07 153503 (M 2020-12-07 15 


2020-10-05 17:1339 (M. 2020-10-05 17: 
2020-10-05 14:18:12 (M. 2020-10-05 14 
2020-10-19 120203 (M. 2020-10-19 12 


lifi- 2020-10-06 10:35:22 (MOT) 


Value 
§M4G_20171023_ 184427134 HOR, 
‘C\Users\heiciz\ Pictures\IMG_2017702_ 


w 

824.7 KB 

o 

2020-10-06 10:35:21 (MOT) 
2020-10-06 103522 (MOT) 
false 


Tue 
false 


° 


For image files only, above the preview pane you can toggle between viewing scaled to fit the 


preview pane or viewing full sized. 


On Windows computers running live, you can see file previews for image file types, such as .jpg, 


.png, .gif, and more. You can also see previews for MS Office files. 


On Mac computers, you can see file previews for file types supported by QuickLook, such as 
pictures, videos, MS office files, .pdfs, and more. 


On Mac computers with FileVault 2, the encrypted volume is already unlocked if the computer is 
running. If the computer is not running, you must first mount it and then unlock the FileVault 2 
encrypted volume with a user account password, a recovery key, or keychain file if you are an 
Enterprise user. For more information, see Mount Device Tool and Unlocking and Imaging 


CoreStorage FileVault 2 Volumes. 


If you are examining a computer running on macOS 10.15 or later, see Views of System Volume 
and Data Volume on Mac Computers. 
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Adding Files to the Collection 


From the Search view, you can add files and folders to the set of data to be collected. You can 
add files and folders one at a time or in groups. Use normal operating system procedures to 
select files and folders individually or sequentially, then open the context menu [right-click a 
selected item) and click Add Selected Items to Collection. 


i: 20482048. 
wwerld-map.2089,2048 peg 
Ae S otit FrstRun Header. 


26653 Fite(s) Found ene aiiaaaaan dianainn maran, 
< 


E CAkersheidizi Pictures SNOWFL-1PNG 


Files added to the collection this way appear in the ADDITIONAL FILES section of the list on the 
Collection view. For added folders, the contents of the folder are listed in Collection Summary 


SRGAWZHL png 
fest ICE483C39. 1905-4FD4-AFC4- 9709- 


Date Created Date Modif pm 
2020-09-29 17:2759 (M. 2020-09-29 a fE 
2020-10-09 0841:56 (M 2020-10-09 


2020-12-08 164410 (M. 2020-12-08 
2020-12-08 11:57:56 (M 2020-12-08 


A 
> 


‘Extension 
. = 
[ire pag 
Fae Size SRUWW39EX pg Sees 
lay sina ş ma settingspage move henter St... 2020-05-04 202403 (M 2020-05-04 
| msettingspage. 1 2020-05-04 202403 (ML. 2020-05-04 
‘ 20-09-29 172759 (M 
Powel TracungAnd Timi 2020-09-29 17:27:59 (M 2020-09-29 nn 
Date ic settingspage mstimedia T1png 2020-05-04 202403 M. 2020:05:04 PA (CAusers\hescdit\Pictures\snow#lake blu.. 
ary date a dashboard de bg pg 2020-05-04 202403 (M. 2020-05-04 me mon = TA 
mu setbngspage smstimedia.71,0f".. 2020-05-04 202403 M. 2020-05-04 | ORE OM 
me settingspage dimension Sigong 2020-05-04 202803 (M. 2020-05-04 
nx_settingspage dimension 51_off... 2020-05-04 202403 M. 2020-05-04 | | Dal# Created: 2020-11-41 164424 (MST) 
Date Modifi- 2020-11-11 16-4424 (MST) 
Content UpselimageCasual_ong 2020-10-09 0842-16 (M. 2020-10-09 Date Access. 2020-11-11 164824 (MST) 
: 1 | | (00834222-6099-4039-AEED-D3A0.. 2020-12-08 100619 M. 2020-12-00 | B > a 
l | | | ne settingapage movie theater ster.. 2020-05-04 202403 M. 2020-05-04 waite na 
neplacehcider peg 2020-05-04 20-2803 (M. 2020-05-04 3 
[I Saarch Binary Files [C] Soarch Documents | |r seatingspage movie theater ster. 2020-05-04 202403 MM. 2020-05-04 | | Locked -n 
gyrometer no-png 2020-09-29 17:27:59 (M. 2020-09-29 bater 


Permissions: 0 


when a folder is selected in the ADDITIONAL FILES section. 


coffe pag 82MB © 
smensflake bive png warKs © 


ens mae G 


Cofection Summary 


‘CAusers\heidi\Desktop\temp\ Browser - 1.pag 


CAUsers\hexdi\Desktap\ temp\ Browse: AddSelected pag 
CAVANIN DAt ptem Browser AddSelect Lpg 


‘CA\users\hendi\Desktop\temp\Collection - 1.png 
CAUsers\heidi\ Desktop temp\image - 1,999 


CiUsers\herdi\Desktop\tem@\Screen Shot 2020-02-10 at 10.29.14 PRA.png 


« 


Destinations 


Collection Size: Ge 


Format LO 
Segment Sze No Segments 
Hashes )MD5 
Esha 
OsHazsé 


swt 


For more information, see Selecting Additional Files and Folders. 
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Collection View 


The Collection view in Cellebrite Digital Collector allows you to acquire selected files, folders, 
and system data from a source computer or any drive or storage device attached to it. With this 
powerful feature, you can strategically triage data instead of creating a full bit-by-bit forensic 
image when time is short or other external constraints are present. 


The Collection view automatically targets these data categories: 


e User Files 

e System Data 

e System Files 

e Additional Files 


You can also create and use custom file filters and collection templates, which make it easier 
and faster to select items to collect. For more information, see Custom File Filters and 
Collection Templates. 


To see the Collection view, click Collection in the toolbar. 


lessens eee —__ Collection Summary 
C] Clipboard - Data ¥] 0 Bytes 
E Disks- List 7) 40KB 
3 Kernel - Version Z ~120KB 
@ Network - ARP 7) ~12.0 KB 
@ Network - Interfaces 7] ~12.0 KB 
@ Network - Statistics 7) ~120KB 
f System - Date 7) 40KB 
$ System - Environment Variables Z] 40KB 
2 System - Free Disk Space Z) 40KB 
2% system - Host Name ¥] 4.0 KB 
2 System - OS Version Z] 40KB 
288 System - Open Files 7] 40KB 
& System - Print Jobs ZJ ~12.0kB PSUS 
W System - Processes v] 240KB 
2 System - Profile 7] 280KB 
© system - Scheduled Tasks 7] ~120KB To 
$ System - Startup Programs J ~120KB 
4b Users - All Z] 40KB Segment S 
Ha: 


If you are examining a computer running on macOS 10.15 or later, see Views of System Volume 
and Data Volume on Mac Computers. 


You can expand each category in the list to see the targeted data. Mark the checkbox to the right 
of any items to select them for collection. 


You can select or deselect all items within a category of the list, for example all user directories 
within the USER FILES category. 


e Ona Mac computer, press OPTION while clicking a checkbox for one item within the 


category. 

e Ona Windows computer, press ALT while clicking a checkbox for one item within the 
category. 
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To select or deselect every item in all categories, open the context menu [right-click any item) 
and then click Select All or Deselect All. 


a s a E B X 


Case Details Browser Search Collection Image Tools 


USER FILES 


= SYSTEM DAT T Collection Summary 
(J Clipboard - Data 0 Bytes 
2 > los Name: 
meses pee OS Version: 
& Kernel - Version 40KB OS Manufacturer: 
@ Network - ARP 40KB OS Configuration: 


OS Build Type: 


@ Network - Interfaces 
@ Network - Statistics 
T System - Date 
‘© System - Environment Variables 
& System - Free Disk Space 
38 System - Host Ni 


SJ LSJ LS} LS} LS) LS) IS) 1S) IS 
A 
© 
z 
& 


Apply Collection Template 
Configure Collection Templates... 


sd SSOP Save Current Selections As Template... 
& System - Print Jo 
Il System - Process Configure Custom File Filters... 


a System - Profile |) Selecta 
(e) System - Schedu Deselect All 
& System - Startup Programs 

4b Users - All 


Destination: 


‘SYSTEM FILES 
ADDITIONAL FILES 


You can add files and folders to the ADDITIONAL FILES section of the list. Click Select Files to the 
right of ADDITIONAL FILES, and then navigate to the files and folders that should be added to the 
collection. 


You can also add files and folders to the collection directly from the Browser and Search views. 
For more information, see Browser View and Search View. 
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Image View 


The Image view in Cellebrite Digital Collector lets you easily acquire a bit-by-bit forensic image 
of a computer hard drive or an attached external storage device, or to image a device partition or 
slice. 


In the Digital Collector toolbar, click Image. 


This is an example of the Image view on a Mac computer. If you are examining a computer 
running on macOS 10.15 or later, see Views of System Volume and Data Volume on Mac 


Computers. 


v Gi diced - APPLE $30 SM512E (4059 G8) - SATA 
eal EFi (200.0 MA) - diskat - EF Format:  <nane available> $] 
Led [APFS Container - disht comaina Ma APFS vuumas) 

Y Ei disks - APFS Container [syethesized} (465.7 GB) - Virtual Segment Size: No Segments B 
a) Macs - Data (465.7 G8) - diaktat - [ENCRYPTED APFS (usioctodi] 
es Prsboo (4057 G8) - diatts2 - APFS 
kin Recovery (4857 CB, 409.2 MB used) - diskts3 - APPS a sma 

(465.7 CA, 20 GB wsad) - inking - APFS 


Hashes: &3 MDS 


(465.7 CB) - dskta5 - [ENCRYPTED APFS (unoched)) inss 
ii A one 
c 
This is an example of the Image view on a Windows computer. 
oğ Dis 1.8 TB) 
a used) - NTFS Format: | <Select Format> { 


Segment Size: [No Segments 


Hashes: [¥JMDS 
SHAT 
C sHaz55 


Destination(s) 


Image Device 


¢ 


Hard drives and storage devices are shown in the list on the left side of the Image view. Device 
volumes or partitions are shown below their associated hard drive or storage device. 


For more information, see Creating an Image. 
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Views of System Volume and Data Volume on Mac Computers 


As of macOS Catalina 10.15, the operating system runs in a read-only system volume, separate 
from other files. This increases protection for the operating system. When a computer is 
upgraded to macOS Catalina or later, asecond volume is created and some files may move to a 
Relocated Items folder. The boot volume is effectively split into two pieces. On the Desktop it 
appears as one volume, but looking at it with Disk Utility, it is readily apparent there are two 


volumes. 


View Volume 


MacSSD - Data 


External 


View Volume 


© Macssp 


(Gj Macssp - Data 


External 


Disk Utility 
V @® 


First Aid Partition Erase Restore Unmouni 


een 
== MacSSD 
- APFS Volume « APFS (Encrypted) 
macOS 10.15.3 


@ Used © Other Volumes 
10.97 GB 226.57 GB 
Mount Point: I 
Capacity: 500.07 GB 
Available: 266.17 GB (3.66 GB purgeable) 
Used: 10.97 GB 
Disk Utility 
V © € 


First Aid Partition Erase Restore Unmouni 


== MacSSD - Data 
APFS Volume + APFS (Encrypted) 
E] macs 10.5.3 


® Used © Other Volumes 
223.66 GB 13.89 GB 


Mount Point: /System/Volumes/Data 
Capacity: 500.07 GB 
Available: 266.17 GB (3.66 GB purgeable) 


Used: 223.66 GB 


© 


Info 


500.07 GB 


SHARED BY 5 VOLUMES 


Free 
262.52 GB 


SHARI 


Free 
262.52 GB 


APFS Volume 


Enabled 


SATA 


disk1s5 


© 


Info 


500.07 GB 
ED BY 5 VOLUMES 


APFS Volume 
Enabled 
SATA 


disk1s1 


The volume name that appears on the Desktop appears in both volumes seen in Disk Utility. In 
Disk Utility, the second volume has "- Data” appended to the volume name, for example 
MacSSD - Data or Macintosh SSD - Data. For more information, see https://support.apple.com/en- 


us/HT210650. 


If FileVault 2 is enabled, the same credentials unlock both volumes in Digital Collector. 


Both of the volumes appear in all the views in Digital Collector. The system volume appears with 
the volume name. The name of the data volume differs slightly among the views in Digital 
Collector. 
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In the Browser view, the name of the data volume is Data. 


ee Digital Collector 
ac @ 
Case Details Browser Search Collectio 
Root 

Name Date Created Date Moditied Date Accessed 
> Bhd 2019-10-12 16:17:19 (PDT) 2020-11-30 08:40:18 (PST) 2020-12-01 14:0¢ 
> Evm 2019-10-22 16:34:49 (PDT) 2020-12-02 08:07:53 (PST) 2020-12-02 08:3 
> E [Macintosh SSD 2019-10-22 16:36:31 (PDT) 2020-11-30 08:38:01 (PST) 2020-11-30 08:3: 


In the Search view, the name of the data volume is the same as in Disk Utility, < VolumeName> - 
Data. The data volume is selected by default in the Location list. Be sure to search both volumes 
to ensure that no important files are overlooked. 


vV /Macintosh SSD - Data 


/private/var/ym 


acintosh SSD 


In the Collection view, the name of the data volume is Data. Both volumes appear in the System 
Files list under MACOS VOLUMES. 
v MACOS VOLUMES 
(Sj Data 


= Preboot (Not Mounted) 
m= Recovery (Not Mounted) 
=) Macintosh SSD 


In the Image view, the name of the data volume is the same as in Disk Utility, /<VolumeName> - 
Data. Both volumes appear as two separate slices. 


ee Digital Collector 
ai B 
Case Details Browser Search Collection Image 


v Bi disko ~- APPLE SSD AP1024M (931.8 GB) - PCI-Express 
lad EFI (300.0 MB) - diskOs1 - EFI 
Laj [APFS Container (T2) - disk1 contains the APFS volumes] - (931.5 GB) - disk0s2 
£ disk1 - APFS Container (synthesized) (931.5 GB) - Virtual - data from diskOs2 
(931.5 GB) - diskts1 - [ENCRYPTED APFS (unlocked)] - select APFS container disk1 to image 
Laj Preboot (931.5 GB) - diskts2 - APFS - se 
W Recovery (931.5 GB) - disk1s3 - APFS - 


Š] VM (931.5 GB) - disk1s4 - [ENCRYPTED (unlocked)] - select APF 
lg) Macintosh SSD|(931.5 GB) - disk1s5 - [ENCRYPTED APFS (unlocked)] - selec 


k1 to image 


ner disk1 to image 
P 


FS container disk1 to image 
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Tools View 


The Tools view in Cellebrite Digital Collector provides a variety of advanced acquisition tools 
developed for experienced forensic examiners. 


e Mount Device 

e Format Device 
e Hash Device 

e Hash Image File 
e Terminal 


Some of these tools are useful only when you start [boot] the source computer from the Digital 
Collector device, as they are unusable or inappropriate for use during a live acquisition. 


In the toolbar, click Tools. The Tools view appears, showing a tab for each advanced tool. 


[ Mount Device ] Format Device Hash Device Hash image File Terminal 


Partition Voume Writable Media ‘Wrtable Volume 
(eis OS (C) (1.8 TA, 249.6 GB used) - NTFS os True Read/Write 
ki DCData (E) (105.2 GA, 963 MB used) - NTFS DCData True Read/Write 


No Device Selected 


c 


For more information, see Tools. 
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Refresh the Device List 


You can refresh the list of devices shown in Cellebrite Digital Collector any time you like for any 
view but Case Details. 


In the bottom left corner of the Digital Collector window, click © [Refresh Device List). 


Setting Preferences on a Mac Computer 


Cellebrite Digital Collector preferences are stored on the Digital Collector SSD in a database file 
named com.cellebrite.DigitalCollector.settings, which is in the WINDOWS APP partition. You may 
set preferences on either a Mac or a Windows computer; setting preferences on one platform 
sets them for the other. 


In the menu bar, click Digital Collector > Preferences. These are the tabs on the Preferences 
window. 


e General 
e Imaging 
e Data Collection 


Set Language Preference 


On the General tab in the Preferences window, choose the appropriate language in the Language 
field. 


a Preferences 
General Imaging Data Collection 


Language 


English 
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Set Imaging Verification Preference 


To automatically validate data before and after imaging, click Imaging on the Preferences 
window, and then mark the Compare hashes before and after imaging checkbox. By default, 
hashing happens inline with imaging and there is no need for before-and-after hashing. Later 
versions of the Mac operating systems require full disk access. 


@eoo Preferences 


General Imaging Data Collection 
Verification 


Compare hashes before and after imaging 
APFS AFF4 images are post hash only 


Full Disk Access 


Full Disk Access is Enabled @) 


File Extension Length 


Specify default length for Raw image file extensions: 


.001 


This is an example of a post-acquisition Activity window with the verification preference enabled. 


Zen belt 
& o$ 
Pria Hiatal raaj 


Lin iiaii iri 
E HAE pE ALI PAE p pT paang jpa 

raat rnam 

kmay n$m nisi} my ila imaga 

mmie pii iaa papi ri jir g jinl mbea asras. 

Tes) TODDS DCD a E 

mip ipa 

FH! - ey nasag ee deere h Db Lh hd umga ieh f 
BEA MPE SE PE 1 IEEE 

Bal LSA LAA LAHAD bidid LPL irii L 

Bapat ete 

Paiki sij ame a jiis bi Jiini aagi iiri 
kee deria BH ABF AA POEH SH I L ALSA 

mip aii a a ee 

BRASA Sas ar me Fe WALESA 

eee ee ee ee 


magmy ini. oe ee EE iji hisein i li 
CIR Se ee H HEAL ee ee 


obit cae 
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Set Length for Raw Image File Extensions 


To specify the default length of file extensions for raw image files, click Imaging on the 
Preferences window, and then choose the appropriate option in the Specify default length for Raw 
image file extensions field. 


(J Preferences 
General Imaging Data Collection 


Verification 


Compare hashes before and after imaging 
APFS AFF4 images are post hash only 


Full Disk Access 


File Extension Length 


Specify default length for Raw image file extensions: 


001 


Set Report Time Output Preference 


You can choose how timestamps are represented in report output from Digital Collector. 
Formatted is the default. 


To change it to UNIX Epoch timestamps (UTC only), click Data Collection on the Preferences 
window, and then select UNIX Epoch. 


@ Preferences 


General Imaging Data Collection 


Report Time Output 


ce} Formatted 2013-08-01 16:05:16 -07:00 [PDT] 
UNIX Epoch 1375398316 (NOTE: UTC time zone only) 
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Setting Preferences on a Windows Computer 


Cellebrite Digital Collector preferences are stored on the Digital Collector SSD in a database file 
named com.cellebrite.DigitalCollector.settings, which you can find in the WINDOWS APP partition. 
When you Set preferences, they apply to Digital Collector for both Mac and Windows computers. 
Setting preferences in Digital Collector on one platform effectively sets them for the other as 
well. 


In the menu bar, click Edit > Preferences. These tabs are on the Preferences window. 


e General 
e Imaging 
e Data Collection 


Set Language Preference 


On the General tab in the Preferences window, choose the appropriate language in the Language 
field. 
© Preferences x 
|General Imaging Data Collection 
Language 


English {v 
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Set Imaging Verification Preference 


Workspace Orientation 


To automatically validate data before and after imaging, click Imaging on the Preferences 


window, and then mark the Compare hashes before and after imaging checkbox. 


© Preferences 
General “Imaging | Data Collection 


Verification 


File Extension Length 


001 v 


Compare hashes before and after imaging 


Specify default length for Raw image file extensions: 


x 


Set Length for Raw Image File Extensions 


To specify the default length of file extensions for raw image files, click Imaging on the 
Preferences window, and then choose the appropriate option in the Specify default length for Raw 


image file extensions field. 


Set Report Time Output Preference 


You can choose how timestamps are represented in report output from Digital Collector. 


Formatted is the default. 


To change it to UNIX Epoch timestamps (UTC only), click Data Collection on the Preferences 


window, and then select UNIX Epoch. 


© Preferences 


Report Time Output 


General Imaging Data Collection 


@ Formatted 2013-08-01 16:05:16 -07:00 [PDT] 
O UNIX Epoch 1375398316 
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Launching Digital Collector on a Live Computer 


You may need to capture volatile user-specific data, system artifacts, and Random Access 
Memory {RAM} contents while a source computer is running. With Cellebrite Digital Collector, 
data collected during a live acquisition may be saved to a forensic image. 


Digital Collector can acquire RAM from macOS computers up to version 10.15.7. 


When time is limited, you may select and acquire specific data from a live source computer using 
only the Digital Collector solid state drive (SSD) and a destination collection device, or even the 
DCData partition on the Digital Collector SSD itself if the capacity of that partition is adequate. 


Obtain an administrator username and password for the source computer when possible. 
Launching Cellebrite Digital Collector from an administrator account allows the software to run 
with root privileges. 


You can acquire data directly from a live source computer or start (boot) your host computer with 
Cellebrite Digital Collector to acquire data from a connected source computer by connecting the 
Digital Collector SSD to the computer. The partitions on the Digital Collector SSD appear in the 
file system. Before you begin, you should understand the partitions on the Digital Collector SSD. 
For more information, see Digital Collector Device. 


Connect a storage device to serve as the collection’s destination, then launch the Digital 
Collector application. 


During a live acquisition, the source computer must remain connected to your host computer 
throughout the entire process. 


This chapter provides these topics. 


e Launch Digital Collector on a Live Mac Computer 
e Launch Digital Collector on a Live Windows Computer 
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Launch Digital Collector on a Live Mac Computer 


You may connect the Digital Collector device to a running source Mac computer, or to your own 
running host computer. 


After Digital Collector is launched on a source computer, you can obtain a logical data collection. 


You can also create images of live APFS volumes that are mounted read/write. During this 
process the volume is locked/frozen. This can cause behavior that seems unusual until imaging 
is complete. 


Launch Cellebrite Digital Collector from an administrator account when possible, so the 
software runs with administrator-level permissions. After you successfully enter an 
administrator password, Digital Collector runs with root privileges. 


If the End User License Agreement has not been accepted yet for Cellebrite Digital Collector, you 
can do so when it launches. For more information, see Accepting the Digital Collector End User 


License Agreement. 


1. Connect the Digital Collector SSD to a USB port on the computer. 

2. Use Finder to browse to the MacOS App partition on the SSD, and then double-click 
DigitalCollector.app. 
A dialog box appears for you to provide login credentials for an administrative user account 
on the computer. 


DigitalCollector is trying to install a new 
helper tool. 
E Enter an administrator's name and password to allow this. 


Password: 


Cancel p Install Helper 
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3. Choose the appropriate action. 


e If you have administrator credentials, type them in the User Name and Password fields, 
and then click Install Helper. 

e If you don't have administrator credentials, click Cancel. 
A restricted permissions confirmation dialog box appears. 


+ Run application with restricted permissions? 
ÉE It is recommended that this application is run with administrative 
permissions. Would you like to attempt another authorization or 
continue as a restricted user? 


Quit Authorize 
e Torun Cellebrite Digital Collector with restricted permissions [permissions for the user 
who is currently logged in), click Run Restricted. 


4. Ifthe End User License has not been accepted yet, you can do so now. 
The Case Details view appears in the Digital Collector window. 


Digital Collector 


Display Time Zone 


For display, logs and reporting use: 


2020-12-16 12:48:46 (PST) 


You can provide information on the Case Details view and then collect data from the live source 
computer. For more information, see Case Details View. 


e |f Digital Collector is directly connected to the live source computer, you can obtain a logical 
data collection or create an image. For more information, see Collecting Data from a Source 
Computer and Imaging Mac Computers. 

e If the live source computer is connected in target disk mode [TDM] to a host computer 
running Digital Collector, you can obtain a logical data collection or you can create an Image. 
For more information, see Imaging Mac Computers. 
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Launch Digital Collector on a Live Windows Computer 


On a live Windows computer, you must launch Cellebrite Digital Collector from an administrator 
account. It will not run with a user account. Digital Collector runs with administrator privileges. 


If you do not have an administrator password for the computer, you can start the computer from 
the Digital Collector solid state drive [SSD]. For more information, see Starting a Computer with 
Digital Collector. 


If the End User License Agreement has not been accepted yet, you can do so when Cellebrite 
Digital Collector launches. For more information, see Accepting the Digital Collector End User 
License Agreement. 


I; 


o 


Connect the Digital Collector SSD to a USB port on the computer. 

Ignore any prompts to scan or format the SSD or to set AutoPlay defaults. 
Use File Explorer see the WINDOWS APP partition. 

In the WINDOWS APP partition, double-click DigitalCollector.exe. 

Choose the appropriate action. 


e |f User Account Control [UAC] is not enabled, go to Step 5. 
e |f User Account Control [UAC] is enabled and the logged-in user 
o has administrative permissions, click Yes. Digital Collector launches. 
o does not have administrative permissions, enter an administrator password, clicking 
More Choices if necessary to see all the user accounts for this computer. Digital 
Collector launches. 


If the Digital Collector EULA window appears, you can either click Agree or mark the 
checkbox for Permanently Accept and then click Agree. 
The Case Details view appears in the Digital Collector window. 


For more information, see Case Details View. 
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Starting a Computer with Digital Collector 


You may connect a source computer to your own host or analysis computer and treat the source 
computer like an external drive to create an image of it or to create a logical data collection. To 
do this, you must start {boot} your host computer from the Cellebrite Digital Collector solid state 
drive (SSD) before you connect it to the source computer. If the source computer is a Mac, you 
must also place it in target disk mode [TDM before you connect it to your host computer. To 
write-protect the source computer, you should use either a hardware write-blocker or a 
software-based write-blocking solution. 


Note: TDM does not exist on M1 Mac computers. 


If you do not have a host or analysis computer, you may boot a source computer from the Digital 
Collector SSD and save the image or logical collection to an external device using only the 
source computer itself. Because Digital Collector boots into a forensically sound environment, 
no additional write-blocking software or hardware is necessary. You only need the source 
computer, the Digital Collector SSD, and a destination device to perform a static data acquisition. 
The Digital Collector SSD itself has a partition, DCData, that can be the destination if it has 
enough available space to hold the image or the logical collection. For more information, see 
Digital Collector Device. 


Before you begin, you should review the Other Equipment topic. 


This chapter provides these topics. 


e Starta Mac Computer with Digital Collector 
e Connect a Source Mac Computer in Target Disk Mode 
e Starta Windows Computer with Digital Collector 
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Start a Mac Computer with Digital Collector 


These are the reasons to start a Mac computer with the Cellebrite Digital Collector solid state 
drive (SSD): 


e To start your own host computer with Digital Collector before you connect it to a source 
computer as an external hard drive to image or collect data from. Before you begin, you must 
put the source computer into target disk mode (TDM). For more information, see Connect a 
Source Mac Computer in Target Disk Mode. 


e lf you don't have a host computer, or if you don't have the administrator password for the 
source computer, you can start (boot) a source computer directly from the Digital Collector 
SSD. 


If the Mac computer is a late 2017 to 2020 model, it may have a T2 security chip. One of the 
functions of the T2 chip is to prevent the computer from booting to external devices, including 
Digital Collector. You can remove this restriction in the Startup Security Utility, in the computer's 
Recovery partition. You need an admin password to access the Startup Security Utility. To start 
the Recovery partition, press CMD+R while starting the computer. Then change the settings to No 
Security and Allow booting from external media. For more information, see 
https://support.apple.com/en-us/HT208198. 


The most forensically sound method for acquiring data from the source computer is to place it in 
target disk mode and not change the security settings. If you do change the secure boot settings 
and later want to change it back from No Security to Full Security, Apple requires an internet 
connection. 


1. Ensure the computer is not running and is connected to a power source. 

2. Connect the Digital Collector SSD to a USB port on the host computer or directly to the 
source computer if there is no host. 

3. Connect an external storage device, if needed, to the host computer or directly to the source 
computer if there is no host. This is the destination where the image or logical data 
collection will be stored. 

4. On the computer connected to the Digital Collector SSD, take either of these actions: 


e Press the power button and immediately hold down the OPTION key. 
e OnanM1 computer, press and hold the power button. 
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5. Release the OPTION key or the power button when either of these appears. 


e A window appears where you can type the firmware password, if it is enabled. 


a > 


Type the firmware password. If you do not have the password for the source computer, 
you cannot proceed. 


e The Startup Manager appears. 


TECCET 


6. Choose the appropriate action. 
e |fthe computer is an M1 Mac, select the DC ARM Boot volume and then click Continue. 
e |fthe computer is not an M1 Mac, select the Cellebrite Digital Collector 3.4 volume and 
then click the arrow below it. 


Warning: Do not select the EFI volume, which runs properly only on Windows computers. 
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7. Take the appropriate action based on the response to Step 6. 


Response Action 


The logo for Cellebrite Digital Collector The computer has started successfully from 
appears along with a progress bar. Digital Collector. 

The Case Details window appears. 

You can now create an image or obtain a 
logical data collection. For more information, 
see these topics: 


Apple logo may appear shortly 
for up to 20 seconds. 


e Imaging Mac Computers 
e Collecting Data from a Source Computer 


The Apple logo appears before the Digital | If the computer is an older Mac, it is booting to 
Collector logo. its own operating system and not to Digital 
Collector. 

Press and hold the computer's power button 
immediately to stop the computer. 

(On newer Mac computers, the Apple logo 
appears during the boot process even when it 
is starting from the Digital Collector SSD.) 


A gray or black screen with a slashed The computer has failed to boot to the Digital 
circle appears. Collector boot volume. Choose one of these 
actions: 


e If the source computer is an Intel Mac, try 
this process again with the Legacy 
partitions. You can also place the Intel Mac 
in Target Disk Mode and connect it toa 
host computer that was booted from Digital 
Collector. 

For more information, see Connect a 
Source Mac Computer in Target Disk 
Mode. 

Do not select the EFI volume. 

e If the source computer is an M1 Mac, the 
model may not be supported yet. 
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Connect a Source Mac Computer in Target Disk Mode 


To obtain a decrypted physical image or a decrypted logical data collection, you can put the 
source computer in target disk mode (TDM) and connect it to your host computer running 
Cellebrite Digital Collector. This is possible even for Mac computers with a T2 chip. 


To write-protect the source computer, you should start (boot) the host computer with Digital 
Collector. For more information, see Start a Mac Computer with Digital Collector. 


If you must run Digital Collector on a live host computer, use either a hardware write-blocker or 
a software-based write-blocking solution. For more information, see Other Equipment. 


For related information about Mac computers, see these topics from Apple. 


e = https://support.apple.com/en-us/HT204455 
e https://support.apple.com/quide/mac-help/transfer-files-mac-computers-target-disk- 
mode-mchlp1443/mac 


Before you begin, ensure the source computer is not running and is connected to a power 
source. Also ensure that Digital Collector is running on the host computer. 


1. On the source computer, press the power button and immediately press and hold OPTION. 
2. If this window appears, a firmware password Is required. 


A 


Ls | 


Release the OPTION key and type the firmware password. If you do not have the password, 
you cannot proceed. 


3. Release the OPTION key and press T. 
4. With a genuine Apple Thunderbolt cable, connect the source computer to the host computer. 


When Digital Collector detects the connect source computer in TDM, you can either obtain a 
decrypted physical image or a decrypted logical collection. 


For more information, see these topics. 


e Imaging Mac Computers 
e Collecting Data from a Source Computer 
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Start a Windows Computer with Digital Collector 


You can start your own host computer with the Cellebrite Digital Collector solid state drive (SSD) 
before you connect it to a source computer, to treat it as an external hard drive that you can 
image or collect data from. 


You can also start [boot] a source computer directly from the Digital Collector SSD if you don't 
have the administrator password. 


Before you begin: 


e Review this entire procedure. If a source computer shows signs of booting to its operating 
system and not to Digital Collector, you must be ready to shut it down immediately. 

e You need to know how to start the source or the host computer so that the boot menu 
appears. This is necessary so that you can select Digital Collector to boot from, rather than 
the computer's own operating system. You can do this by repeatedly pressing the correct key 
or keys during startup. The exact boot key varies among manufacturers and computer 
models, but these keys are often used: ESC, F2, F10, and F12. If none of these commonly 
used boot keys reveal the boot menu, you can search online for the manufacturer and model 
of the source or the host computer. 

e You should also review the Other Equipment topic. 


Among Windows computers, there are a wide variety of start configurations, as well as the 
sequence and appearance of BIOS screens and Boot Menus. Therefore, this topic provides 
general guidance. 


1. Ensure the source or host computer Is not running and is connected to a power source. 

2. Connect the Digital Collector SSD to a USB port on the host computer or directly to the 
source computer if there is no host. 

3. Connect an external storage device, if needed, to the host computer or directly to the source 
computer if there is no host. This is the destination where the image or logical data 
collection will be saved. 

4. On the computer connected to the Digital Collector SSD, press the power button and 
immediately begin repeatedly pressing the boot key until you see the BIOS screen or Boot 
Menu. If you see the BIOS screen, you can find the Boot Menu there. 

5. Inthe Boot Menu, select Cellebrite Digital Collector 3.4. 

6. The computer boots from Digital Collector. 

It may take a few moments before Digital Collector appears. 


Proceed with triage, collecting data, or creating an image. 
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Collecting Data from a Source Computer 


Forensically significant user data and system artifacts are located in many different places in 
computer file systems. Manually locating and selecting such data during a forensic acquisition 
may be both daunting and time-consuming, especially when you are collecting data from a live 
computer under time constraints. For more information, see Launching Digital Collector ona 
Live Computer. 


Cellebrite Digital Collector makes this task quick and simple. This is especially important when 
collection time is limited. The Collection view automatically targets these data categories. 


e User Files 

e System Data 

e System Files 

e Additional Files 


You can add files and folders to the Additional Files category from the Browser and Search views 
as well as from the Collection view. You can also create and use custom file filters and collection 
templates, which make it easier and faster to select items to collect. For more information, see 
Custom File Filters and Collection Templates. 


For more information, see these topics. 


e Collection View 
e Browser View 
e Search View 


Note: Obtaining a decrypted logical collection is the same for all Mac computers, even those 
with a T2 chip. If FileVault 2 is enabled, you must unlock the encrypted volume to decrypt the 
data before you can create a logical collection. For more information, see Mount Device Tool. 


This chapter provides these topics. 


e Selecting User Files 

e Selecting System Data 
l 
l 


e Selecting System Files 

e Selecting Additional Files and Folders 
e Collecting Selected Data 

e Verifying Collected Data 
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Selecting User Files 


On every computer, each user has their own files and folders. Cellebrite Digital Collector allows 
a forensic examiner to identify all user accounts and then target and collect data corresponding 
to specific users. 


Collecting Data from a Source Computer 


In the toolbar, click Collection and then expand the USER FILES section of the 


the Collection view. 


list on the left side of 


The USER FILES section of the list looks like this on Windows computers. 


a Bae x 
Case Details Browser Search | Collecion Image Tools 
= USERFI n ~ 
= USER DIRECTORIES Collection Summary 
8 Bosc 
d Cuser B o 
d CAUsers\Default\ oO 
d ser mj 
A Users, 0 
A Cer o 
d Cser C 
be CAUsers Public oO 
= CUSTOM FILE FILTERS (PER USER) (Configure...) 
= FILES (PER USER) 
E Applications Taskbar/Dack O Bytes 
| Attached Media O Bytes 
& Cache O Bytes 
E) calendars O Bytes 
BB contacts O Bytes 
E Desktop O Bytes 
E Desktop Picture O Bytes 
[L Documents 0 Bytes 
I Downloads O Bytes ai ia 
|E; Email O Bytes 
@ Internet Browser E OBytes 
Movies O Bytes 
d Music O Bytes 
= Notes 0 Bytes 
Pictures 0 Bytes 
Recent Items O Bytes 
“A User Passwords O Bytes 
= Wifi O Bytes 
aanika SSS | Colection Size 1794 GB 
c 


The USER FILES section of the list looks like this on Mac computers. 


r 
e 


Case Details 


x 


Digital Collector 


da ff B 


Browser Search Collection Image 


~ USER DIRECTORIES 
E Data (disk3s5) 

D Users 
CUSTOM FILE FILTERS (PER USER) 
FILES (PER USER) 

E Applications Taskbar/Dock 
La Attached Media 
4 Bash History 

E Calendars 

I Contacts 

E3 Desktop 

E Desktop Picture 
& Diskutility Log 

L Documents 

E Downloads 

(B| Email 

A FaceTime 

@ Internet Browser 
@ Messages 

1 Movies 

d Music 

= Notes 
W Pictures 

3 Recent Items 
fai Saved Application State 
A User Passwords 
User Preferences 
i Users Trash 

= Wifi 

E ios Backup 


Collection Summary 


Configure... 


20.0 KB 
36.0 KB 
40KB 

27.4 MB 
34.4 MB 
13.7 6B 
52.0 KB 


Destination: 


Seg 


> SYSTEM DATA 


|| Select Files... | 
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These are the sections within the USER FILES list. 


e USER DIRECTORIES, where user accounts are grouped according to which internal drive or 
attached device contains each user directory. Expand or collapse the list for any drive or 
device to show or hide the associated user accounts. 

e CUSTOM FILE FILTERS (PER USER] where you can select custom file filters, which make it 
easier and faster to select items to collect. For more information, see Custom File Filters 
and Collection Templates. 

e FILES (PER USER], where categories of file types are listed. 


These sections of the list work together. 
1. In the USER DIRECTORIES section, mark the checkbox to the right of the path name to select 
specific user accounts to collect data from. 
2. Choose either or both of these actions: 
e Inthe FILES (PER USER] section, mark the checkbox to the right of each item to collect 
for the selected users. 
e Inthe CUSTOM FILE FILTERS (PER USER) section, mark the checkbox to the right of a 
custom file filter. 


For example, you could select two of the user directories and then select only Documents, 
Downloads, and Pictures. Or you could select two of the user directories and then select one 
custom file filter. The collection is limited to only the targeted items for the selected users. 


You can apply a collection template as an alternative or addition to custom file filters. For more 
information, see Custom File Filters and Collection Templates. 


Look in the Collection Size field at the bottom of the Collection view, to the right of the list. If you 
deselect a user or select another user, or if you deselect or an item or select another item, the 
size of the collection is recalculated to reflect excluding or including the selected files for the 
selected users. When time is limited, you can quickly triage user data according to importance. 
The larger the size, the longer it will take to collect. 


Options for Collecting User Files 


These are the preset options for user files that can be collected. 


Option Description Mac Windows 


Applications Collect the user account's Dock or Taskbar V vV 
Taskbar/Dock application preference settings 
Attached Media | Collect attached device history V vV 
Bash History Collect command line history (bash shell} JV 
Cache Collect temporary files JV 
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Option Description Mac Windows 
Calendars Collect iCal calendar events and attachments from | V V 

macOS 
Collect AppData\Local\Packages\microsoft. 
windowscommunicationsapp_8wekyb3d8bbwe from 
MSOutlook on Windows 
Collect AppData\Local\Comms\Unistore from the 
Windows 10 Mail app 
Contacts Collect Contact data J J 
Desktop Collect all files located on the user account's vV V 
Desktop 
Desktop Picture | Collect the user account's Desktop wallpaper V 
Diskutility Log Collect all user actions executed from the Disk 
Utility application 
Documents Collect all files/folders in the user account's J V 
Documents folder 
Collect all TextEdit* application files 
Downloads Collect all files/folders in the user account's V 
Downloads folder 
Email Collect Microsoft Outlook email and cache data J vV 
Collect Microsoft Entourage email, downloads, and | V 
cache data 
Collect Mac Mail application email and downloads 
FaceTime Collect FaceTime* 
Internet Collect Google Chrome internet history, cookies, vV 
Browser and cache 
Collect Microsoft Edge internet history, cookies, J 
and cache 
Collect Internet Explorer internet history, cookies, J 
and cache 
Collect Firefox internet history, cookies, and cache | V J 
Collect Safari internet history, bookmarks, cookies, JV 
cache, and more. 
Messages For iMessage and iChat, collect logs, files, .plist JV 
file, and cache files 
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Option Description Mac Windows 
Movies Collect all files in the user account's Movies folder | V JV 
Collect QuickTime application files 
Music Collect all files in the user account's Music folder JV V 
Notes Collect user account's Notes* vV 
Collect user account's Stickies [sticky note) JV JV 
application data 
Pictures Collect all files in the user account's Pictures folder | V JV 
Collect all user account Photo Booth application 
picture files Jv 
Collect all user account Preview* application 
picture files 
Recent Items Collect data in the user account's Recent Items V 
menu 
Saved Collect application window settings and data from vV 
Application the last time applications were used 
State* 
User Collect user account password files V vV 
Passwords 
User Collect all user-defined application preferences vV 
Preferences 
Users Trash Collect all items in the user account's Trash folder 
Wifi Collect Wifi data V 
iOS Backup Collect all user 10S backup folders vV 


* Denotes data collected from the ~/Library/Containers/ directory, if it exists on a Mac computer. 
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Custom File Filters and Collection Templates 


Custom file filters and collection templates can make it easier and faster to select items to 
collect. Once you establish these, you can rely on them to more quickly and consistently select 
items to collect. This can also mean that more junior examiners can work more independently to 
consistently select appropriate items. Additionally, the resulting data collection may be smaller 
while still focusing on relevant data. 


Both custom file filters and collection templates are saved in the settings file on the Digital 
Collector device (dongle). This ensures that they are always available as you collect data from 
different computers, regardless of whether they run Mac or Windows. 


In the Collection view, the SYSTEM DATA and USER FILES groups have exchanged locations in 
the list of items to collect. USER FILES is now at the top of the list. This makes it easier to use 
custom file filters in conjunction with selecting the appropriate user. 


The new CUSTOM FILE FILTERS (PER USER] section appears in the USER FILES group. 


Custom file filters and collection templates work on both booted and live Mac and Windows 
computers. The same filters and templates can be used on either platform. Any aspects that do 
not apply to the source computer due to platform differences are simply ignored. For example, 
when a template is defined to collect the Windows registry, that yields no result on a basic Mac 
computer. However, if a Mac computer has a Bootcamp volume that Digital Collector recognizes, 
the same template can collect the Windows registry from that volume. 


For custom file filters or templates to select files, you must also select at least one user in the 
USER DIRECTORIES section of the list of items to collect. Only files for the selected user will be 
collected. 


Filters look for files based on these user locations. 


e Desktop 
e Documents 
e Downloads 


e Library 
e Videos 
e Music 

e Pictures 
e Home 


Templates look for files based on groups or items you select as well as any custom file filters 
you select. When you apply a template, you must also select at least one user in the USER 
DIRECTORIES section of the list of items to collect. 


You can apply only one template at a time. 
For more information, see these topics: 


e Create and Manage Custom File Filters 
e Collection Templates 
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Create and Manage Custom File Filters 


Before you begin, you should understand the information in this topic: Custom File Filters and 


Collection Templates. 


1. Take one of these actions. 


e Inthe Menu bar, click Templates > Configure Custom File Filters. 
e Tothe right of CUSTOM FILE FILTERS (PER USER] in the list of items to collect, click 


Configure. 


e Open the context menu from CUSTOM FILE FILTERS (PER USER] and then click Configure 
Custom File Filters. 


e The Custom File Filter Tasks dialog box appears. 


2. Take any of these actions. 


These fields are similar to the fields on the Search view. 


Create a file 
filter 


a. 


P 


a o 


g. 


Note: When you boot a Windows computer with Digital Collector, filtering on 


Click New File Filter and then type a name for the file filter in the Name 
field. 

Int 
In the Name field, set the criteria for the file name. 

In the Extension field, set the criteria for the file extension. 


In the File Size field, set the criteria for the file size. 


In the Date field, set the criteria for the date. 
These new options may be most useful. These options are also available 
in the Search view. 


e last day 
ast week 
ast month 


ast year 


l 
l 
l 
e | 


Click Save. 


Date Created is not supported. 


he Location field, select the location that items will be collected from. 
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Change a file a. In the File Filter Name list, elect a file filter and change any data, including 
filter the name. 


b. Click Save. 


Delete a file Select a file filter and click Delete Selected. 
filter 


After you have created custom file filters, you can select them the way you would any items in 
the list. Selecting a custom file filter automatically selects the items defined for that filter. 


You can see detailed information about what will be collected in the Collection Summary box. 


The size of the collected set of items appears to the right of the checkbox for the custom file 
filter. As with all other items in the list, if you select or deselect any users, the size is 
recalculated accordingly. 


Collection Templates 


Before you use collection templates, you should understand custom file filters as well. For more 
information, see Custom File Filters and Collection Templates. 


There are two approaches to defining collection templates. You may prefer to define collection 
templates that pertain to either the Mac or the Windows platform or you can define single 
collection templates that apply to both platforms at the same time. The latter approach is 
possible because the list of items Is not restricted by the platform of the computer you happen to 
be using while you define collection templates. This means that you can define a single template 
with all the appropriate items selected for both the Mac and Windows platforms. When you apply 
the collection template to a source computer, the template items that pertain to the computer's 
platform are selected. The benefit is that one person with expertise can set up collection 
templates on Digital Collector devices used by more junior examiners. 


You can create a collection template based on any selections you have currently made in the 
Collection view or you can use the Collection Templates dialog box. 


For more information, see these topics: 


e Save Current Selections as a Template 
e Create and Manage Collection Templates 
e Apply a Collection Template 
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Save Current Selections as a Template 


If you have made selections on the Collection view that you think you'll likely use often in the 
future, there are two ways you can save them as a collection template. 


1. 


In the Menu bar, click Template > Save Current Selections as Template. 
Open the context menu from the list of items to collect and then click Save Current Selections 
as Template. 


The Collection Templates dialog box appears. 


Collection Templates 


—D.CUSTOM SIRE FILTERS WER USER) Oy * 
og 
og 


so LASER SER o o 
ia ti 


Dooooooooo0000000 
EOOSOCEE 


TINE OE me 


Cancel 


In the Name field, type a descriptive name for this template. 


2. Review the items the Template Selections list and if necessary, mark or unmark the 


checkboxes for any items, and then click Save. 


Create and Manage Collection Templates 


You can create, change, and delete collection templates. Collection templates can include any 
custom file filters you have created. 


1: 


2. 


Take one of these actions. 


e Inthe Menu bar, click Templates > Configure Collection Templates. 
e Open the context menu from the list of items to collect and then click Configure Collection 
Templates. 


In the Collection Templates dialog box, you can take any of these actions. 


Create a a. Click New Template. 
collection b. Inthe Name field, type a descriptive name for this collection 
template template. 


c. In the Template Selections list, mark the checkbox for any items, 
groups, or custom file filters to include in this template and then 


click Save. 
Change a a. Inthe Template Name list, select the appropriate template. 
collection b. As appropriate, change the name or mark or unmark the checkboxes 
template to change what is included in this template 
c. Click Save. 
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Action 

Delete a In the Template Name list, select the appropriate template and then click 
collection Delete Selected. 

template 


Apply a Collection Template 


After you have defined a collection template, you can apply it to quickly and easily select the 
associated items to be collected from the source computer. 


1. Take one of these actions. 


e Inthe Menu bar, click Templates > Apply Collection Template. 
e Open the context menu from the list of items to collect and then click Apply Collection 
Template. 


2. Select the appropriate collection template. You can apply only one template at a time. 


If necessary, you can mark or unmark the checkboxes for any items, groups, or custom file 
filters. 


You can see detailed information about what will be collected in the Collection Summary box. 


If you select or deselect any users, the collection size is recalculated accordingly. 
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Cellebrite Digital Collector has defined many preset groups of system data that you can select 


for collection. 


Digital Collector User Guide 


In the toolbar, click Collection, and then expand the SYSTEM DATA section of the list on the left 
side of the Collection view. 


The SYSTEM DATA section of the list looks like this on Windows computers. 


The SYSTEM DATA section of the list looks like this on Mac computers. 


Case Details  Browset Search Collection Image 
= USER FILI | 
( Clipboard - Data J] 0 Bytes 
E Disks- List 7] 40KB 
ý Kernel - Version =} ~120KB 
@ Network - ARP z7] ~120KB 
@ Network - Interfaces 7 ~120KB 
@ Network - Statistics 7] ~120KB 
S System - Date 7] 40KB 
$ System - Environment Variables <] 4.0 KB 
8 System - Free Disk Space 7) 40KB 
& system - Host Name 7) 40KB 
& System - OS Version Z] 40KB 
2# System - Open Files 7] 40KB 
© System - Print Jobs 7) ~120KB 
E System - Processes 7] 240KB 
2 System - Profile 7] 280KB 
© System - Scheduled Tasks 7] ~120KB 
2% System - Startup Programs = ~120KB 
4b Users - All ZJ 40KB 
= ADDITIONAL FILE 


Tools 


Collection Summary 


Destination: 


e Digital Collector 
) 
a 4A 8 B 
Case Details Browser Search Collection Image 
SYSTEM DATA Collection Summary 
{J Clipboard - Data 4.0 KB 
E Disks - List ~12.0 KB 
Š$ Kernel - Kernel Extensions ~12.0 KB 
26 Kernel - System State ~12.0 KB 
A Kernel - Version ~12.0 KB 
@ Network - ARP ~12.0 KB 
@ Network - Interfaces 4.0 KB 
@ Network - Statistics 60.0 KB 
E Screen - Screen Capture 7.4 MB 
> System - Application List ~12.0 KB 
fig, System - Date ~12.0 KB 
‘© System - Environment Variables ~12.0 KB 
X System - Free Disk Space ~12.0 KB 
A System - Host Name ~12.0 KB 
Š system - I/O Kit Registry ~12.0 KB 
3 System - Kernel State ~12.0 KB 
ai system - NVRAM Variables ~12.0 KB 
3 System - OS Version ~12.0 KB 
a System - Open Files ~12.0 KB 
$ System - Print Jobs ~12.0 KB 
A$ System - Printer Status ~24.0 KB Destination: 
Il System - Processes ~12.0 KB 
A System - Profile ~24.0 KB 
@ System - Scheduled Tasks ~12.0 KB 
3 System - Startup Programs ~12.0 KB 
4B Users - Active ~12.0 KB 
4b Users - All ~12.0 KB 


a i! 
{x : Select Files... 


Segme 


You can select a system data collection option in the list to see details or a preview in the 
Collection Summary section, on the right side of the Collection view. 
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To select system data, mark the checkbox to the right of each option to be collected. 


You can select or deselect all options in all sections of the list in the Collections view by using 
the context menu [right-click anywhere in the list] and choosing the appropriate action. 


When time is limited, you can quickly triage system data according to importance. Look at the 
total size shown for each option and look at the Collection Size field at the bottom of the 
Collection view, to the right of the list. When you mark or unmark the checkbox to the right of an 
option, thereby including or excluding it, Digital Collector automatically recalculates the size of 
the entire collection. The larger the size, the longer it will take to collect. 


Options for Collecting System Data 


These are the preset options for collecting system data. 


Option Description Mac | Windows 

Clipboard - Data Collect current clipboard data V v 

Disks - List Collect a list of all attached drives and storage V vV 
devices 

Kernel - Kernel Collect a list of installed kernel extensions [kext files) | V 

Extensions 

Kernel - System Collect current kernel state [state specs, min/max vV 

State capabilities) 

Kernel - Version Collect current kernel information 

Network - ARP Collect current Address Resolution Protocol (IP to 


MAC address table) for the primary interface 


Network - Collect a list of system network interfaces vV vV 

Interfaces 

Network - Statistics | Collect active Internet connections [TCP and UDP) JV V 
and Active Local Unix domain sockets [stream and 
datagram] 

Screen - Screen Collect a screenshot of all system displays V 

Capture 

System - Application | Collect all applications [ending in .app) in the system | v 

List Applications directory 

System - Date Collect current system date, time, and time zone 

System - Collect environment variable information 

Environment Collect printenv command return values [sudo user, 

Variables default shell, current user home directory path, etc.) 
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Option Description Mac | Windows 
System - Free Disk | Collect free disk space statistics for all mounted file | v vV 
Space systems 
System - Host Collect the computer's localhost name v v 
Name 
System - |/O Kit Collect I/O Kit registry information v 
Registry 
System - NVRAM Collect all firmware variables for Non-volatile RAM V 
Variables (NVRAM} 
System - OS Version | Collect the operating system software version JV V 
System - Open Files | Collect a list of open files vV 
System - Print Jobs | Collect print queue status V 
System - Printer Collect cups printer status vV 
Status 
System - Processes | Collect active system processes V vV 
System - Profile Collect data about this computer, such as found on vV V 
these windows: 
e About this Mac 
e About, on Windows 
System - Scheduled | Collect list of startup programs vV vV 
Tasks 
System - Startup Collect a list of programs launched at startup V V 
Programs 
Users - Active Collect a list of local and/or remote users who are vV 
currently logged into the computer 
Users - All Collect a list of user account information vV V 
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Selecting System Files 


Cellebrite Digital Collector allows you to select and collect operating system files and artifacts 
on all internal or attached volumes. Many volume-specific system files contain valuable forensic 
information that is often overlooked or forgotten during collection and examination. 


In the toolbar, click Collection and then expand the SYSTEM FILES section of the list one the left 
side of the Collection view. 


The SYSTEM FILES section of the list looks like this on Windows computers. 


“t dä a E B X 
Case Details Browser Search Collection Image Tools 
[a userre O ë 


USER FILES 


EM D Collection Summary 
YSTEM FILES 
= WINDOWS VOLUMES 
@os m 
© FILES (PER VOLUME) 
A Login Z OBytes 
© os instali ] 868.8 MB 
@ os version Z] 637.0 KB 
© Print Spool Z] OBytes 
Registry 7] 185.4MB 
(©) Software Updates 7) 174MB 
§ System Logs ~~] 25GB 
Fi system Trash YJ 175.9 GB 
= ADDITIONAL FILES 
Destination: 
_—— 


The SYSTEM FILES section of the list looks like this on Mac computers. 


m 
Digital Collector 


is a s H & 
ase Details ows h Collection Image 
SYSTEM DATA Collection Summary 
x 
~ MACOS VOLUMES 
E Data (disk3s5) v 


K 


E Macintosh HD (disk3s1s1) 
FILES (PER VOLUME) 


Ñ AutoLogin Password V OBytes 
d Deleted Users V OBytes 
As Installed Software V 640KB 
Ñ Login vV 40KB 
@® os install Vv OBytes 
OS Ve V 40KB 
Æ Print Spool V 396.0 KB 
WA Sleeplmage v 10GB 
(©) Software Updates V 40KB 
System Logs v 425MB 
f system Trash V OBytes 
& iOS Lockdown Files V OBytes 


a DITIO L Select Files... 


Destination: 


There are two sections within the SYSTEM FILES section of the list. 


e <PLATFORM> VOLUMES, where PLATFORM is either MACOS or WINDOWS 
e FILES [PER VOLUME) 
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These two sections of the list work together. 


1. In the <PLATFORM> VOLUMES section, mark the checkbox to the right of each volume that 
contains data of interest. 

2. Inthe FILES (PER VOLUME] section, you must then mark the checkbox to the right of each 
item collect for the selected volumes. 


For example, you could select two of three possible volumes, and then select only Login, System 
Logs, and System Trash. The collection is then limited to only the selected items for the selected 
volumes. 


Look in the Collection Size field at the bottom of the Collection view, to the right of the list. If you 
deselect a volume or select another volume, or if you deselect an item or select another item, 
the size of the collection is recalculated to reflect excluding or including the selected items for 
the selected volumes. When time is limited, you can quickly triage volume data and system files 
according to importance. The larger the size, the longer it will take to collect. 


Options for Collecting System Files 


These are the preset options for system file items that can be collected. 


Option Description Mac | Windows 
AutoLogin Collect the kcpassword file if it exists V 

Password 

Login Collect lock screen files V 
Deleted Collect deleted user preference files containing deleted user | V 

Users information 

Installed Collect the system preference containing a list of installed JV 

Software software 

Login From macOS, collect the V v 


/Library/Preferences/com.apple.loginwindow.plist file (which 
contains login information for the last user account that was 
logged into the system, and which may contain guest account 
login artifacts). 


From Windows, collect any folders with a path like this: 
Windows \SystemApps\Microsoft.LockApp_* 

These are associated with lockapp.exe, which is responsible 
for drawing part of the lock screen on Windows 10. 


OS Install Collect operating system install information and date V 
OS Version | Collect operating system version information V 
Print Spool | Collect printer cache and print spool information V V 
Registry Collect system registry V 
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Option Description Mac | Windows 
Sleeplmage | Collect the file containing the last laptop macOS system state | v 
prior to a drained battery-induced system shutdown 
Software Collect Software Update application history JV v 
Updates 
System Collect operating system log files vV v 
Logs 
System Collect data contained in the system Trash folder or the V vV 
Trash Recycle Bin 
iOS Collect locked iOS device escrow keys [IOS PIN/passcode] JV 
Lockdown 
Files 
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Selecting Additional Files and Folders 


Cellebrite Digital Collector allows you to select and collect files and folders according to specific 
case requirements. These are typically files you select during triage on the Browser and Search 
views. For more information, see Browser View and Search View. 


These files appear in the Collection view in the ADDITIONAL FILES list. 


WASTE In tne USU ANd CNOOSING e appropriate acti 


In the toolbar, click Collection and then expand the ADDITIONAL FILES section of the list on the left 
side of the Collection view. 


The ADDITIONAL FILES section of the list looks like this on Windows computers. 


fa al Q a B Pas 

Case Details Browser Search | Collection Image Tools 
le Us ER | i 7 — aA 2 “| 

|3 SYSTEM DATA  colection Summary 

[E SYSTEM ALES Ol 
= ADDITIONAL FILES ilesa] 
Authoring and Style Guide.docx sı7ke © 
Colors&TintsPalette.png 0 Bytes © 
Marketing December Updates 2020.docx 6.9 MB © 
Webinar-Digital Collector 3.1.docx 15.8 KB © 
(DES Training Slicks 34MB © 


The ADDITIONAL FILES section of the list looks like this on Mac computers. 


e Digital Collector 
1 i 
a ao & 
Case Detail Browser Search Collecti Imag 
> 
~ SYSTEM DAT Collection Summary 
2 
x JAL FILES Select Files... 
E Volumes 136.0 KB 
(@ -android 8.0 KB 
Ü iCloud Drive (Archive) 127.5 GB 
E Scans 568.1 MB 
E tmp 20.0 KB 


In the ADDITIONAL FILES list, you can see all folders and files you selected in the Browser or 
Search views. While you may select more items directly from this list, the Browser and Search 
views are recommended. 

1. To the right of ADDITIONAL FILES, click Select Files. 

2. Inthe Files and Folders Selection dialog box, navigate to the appropriate files and folders and 


then click Select. 
If you cannot see or select items, you should instead select them from the Browser or 


Search views. 


To remove a file or folder from the ADDITIONAL FILES list, click - (Remove) next to the item's 
name. 
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Collecting Selected Data 


Cellebrite Digital Collector lets you choose the destination for a collection, choose the file format 
for the collection, specify segmentation, and select hash values to compute. 


Before you begin: 


e Besure the destination volume has enough room to hold the collection. The Digital Collector 
solid state drive [SSD] has a storage volume, DCData, which is formatted exFAT. If space is 
not sufficient in the DCData volume, you should connect an additional device for storage. For 
more information, see Digital Collector Device and Other Equipment. 

e Be sure the destination volume is mounted Read/Write. For more information, see Mount 
Device Tool. 

e If the format of the destination will be a folder, be sure that the file system of the destination 
is the same type as on the source computer. This preserves the most metadata. For more 
information, see Digital Collector Device and Format Device Tool. 


Set the Destination for a Collection 


1. When you have finished choosing what needs to be collected, click Set to the right of the 
Destination field, below the Collection Summary on the Collection view. 

2. Choose the destination for the collection. 
If the source is a Mac computer booted from the Digital Collector SSD, you may see this 
message: iCloud Drive may not work properly. 
Click OK and continue with choosing the destination. 

3. In the Format field, choose the format for the collection. 


e Folder (Available only for Mac computers.) 
e L01 


4. In the Segment Size field, set the size of the segments for an L01 collection. 
You can choose a size or set a custom size. 

5. In Hashes, mark the checkbox for any verification hashes to compute for this collection, and 
then click Start. 
The Activity window appears, showing the progress of the collection. 


Stop All Clear Completed 


Acquiring data... 


o 


| 27: System - Executables List 


When the collection is complete, the Activity window shows the destination drive, path, and file 
name. 
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Verifying Collected Data 
After data collection is complete, the destination volume contains these files and folders. 


e If the collection is saved to a folder, you see a Files folder, a Logs folder, anda 


Case_Details.log file. 
e If the collection is saved to an L01 file, you see a Case_Details.log file. A Logs folder is created 


but has no contents. 


You can see the destination volume using File Explorer on Windows computers or Finder on Mac 
computers. 


This is an example of the destination volume on a Windows computer for an L01 collection. 


1 |A = = | DCCollection_2020-12-11_12-10-09 = o x 
Home Share View @ 
¢ > v A T « DC... > DCCol.. v ọ Search D... 
5 
Name Date modified 
Logs 12/11/2020 5:10 AM 
] Case_Details.log 12/11/2020 5:10 AM 
L] DCCollection_2020-12-11_12-10-09.L01 12/11/2020 5:10 AM 
< > 
3items 1 item selected =| 


This is an example of the destination volume on a Mac computer for a folder collection. 
Œ DCCollection_2021-01-12_23-47-24 
Emo By g~ 3 ~ Q 
DCCollection_2021-01-12_23-47-24 
Name Date Modified 


= Case_Details.log Today at 15:53 
v B Files à 3 
> (Clipboard Data 
> [B System Data 
> B System Files 
> D User Files 
v (Logs 
=) error.csv 
* report.csv Today at 15 


Æ DCData >  DCCollection_2021-01-12_23-47-24 
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Files Folder 


The Files folder is created when the destination is a folder, but not an L01 file. 


The Files folder contains all the collected data in subfolders. Folders inside the Files folder have 
names that correspond to each section of the list in the Collection view such as System Data, 
User Files, and so forth. If the Clipboard Data option was selected, there is also a subfolder 
named Clipboard Data that contains a text file with the source computer's clipboard contents. 


The folders inside the Files folder are only created if you select at least one item in the 
corresponding section of the list on the Collection view. For instance, if nothing is selected in the 
ADDITIONAL FILES section, there is no Additional Files folder inside the Files folder after 
collection is complete. 


Logs Folder 


When the destination for the collection is L01, the Logs folder is empty. The Logs folder contains 
comma-delimited report files. These files contain very detailed file status information for each 
collected item, including item collection start and stop times, the item's source path (where the 
item was on the suspect's computer], destination collection path [the item's Data Collection/Files 
folder location], pre- and post-collection hash values (MD5, SHA-1, and SHA-256), and whether 
or not the collected item was an alias or hidden file (status on both the source and destination 
respectively). 


These are the report files in the Logs folder. 


e report.csv contains status information for all files collected (does not contain task-based 
output such as system information, and so forth). 
e error.csv contains informational and error messages for items that could not be collected. 


Case_Details.log File 


The Case_Details.log file contains collection start and stop times and any information that an 
examiner entered in the Digital Collector Case Details window before collection started. 


eee = Case_Details.log 
Digital Collector Version: 3.1 


Data Collection Start Time: 2021-01-12 23:47:24 (GMT) 
Data Collection Stop Time: 2021-01-12 23:53:40 (GMT) 


Case Identification: 


Collection 
34 


on: omewhere 
Exhibit ID/Evidence #: 001 
Description: Data Collection 


Examiner Information: 
Joe Wonder 
E 


Agency/Company: ACM 
Section/Department: IR 


Comments: 
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Creating an Image 


With Cellebrite Digital Collector, you can create an image of entire hard drives and storage 
devices as well as individual volume partitions. 


You can create an image of a source computer that is started [booted] from the Digital Collector 
solid state drive [SSD]. For more information, see Starting a Computer with Digital Collector. 


You can also create an image of a device or device partition that is attached to your live host 
computer. For Mac computers, you can create an image of live APFS volumes that are mounted 
read/write. 


On the toolbar, click Image. The Image view appears. 


This is an example of the Image view on a Mac computer. 


IB Physical Memory (32.0 68) 
Y Gi disko - APPLE SSD AP1024M (931.8 GB) - PCI-Express Format: _<none available> B 
T fskost - EFI s 
Dene oo) CEI B 
v E dsk - apes 


Jisko Hashes: €MD5 
disk1s1- [ENCRYPTED APFS (unlocked)] ‘PFS container disk! to Im B sHm 
FS + sole T jiski toir 


SHA256 


L] Macintosh HD (931.5 GB) - disk1s5- [ENCRYPTED APFS (unlocked)] - sel 
Destination(s) 


c 


This is an example of the Image view on a Windows computer. 


Format: | <Select Format> v 
Segment Size: No Segments 


Hashes: [¥JMD5 
SHA1 
C sHa255 


Destination(s}: 


Image Device 


(J 


On the left side of the Image view, you can select the source drive or storage device. Device 
volumes or partitions are shown below their associated hard drive or storage device. 


On the right side of the Image view, you can choose settings for the destination of the image, 
including the hashes. 


These topics provide details about creating an image using Digital Collector. 


e Imaging Windows Computers 
e Imaging Mac Computers 
e Verify Image Creation 
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Imaging Windows Computers 


You can acquire a physical or logical image of data from a source computer. If the source Is a 
physical device, Digital Collector can create a bit-by-bit forensic image. If the source is a logical 
slice or partition, Digital Collector can create a bit-by-bit forensic image. This flexibility allows 
you to quickly acquire targeted data if a full forensic image is not necessary or if time is limited. 


To create an image of a Windows computer, click Image in the toolbar. 


| Gy Diko - Sabrent Rocket Q (1.8 TB) 

L OS (C) (1.8 TB, 248.3 GB used) - NTFS Format: | <none available> si 
5 i Disk 2 - Mini128MB*IOM2D5 (123.2 MB) 

L Local Disk (F:) (119.2 MB, 40 KB used) - FAT32 
5 Gi Disk 3 - Wireless Plus (931.5 GB) Hashes: IMDS 

L Seagate Wireless (G:) (931.3 GB, 652.5 MB used) - NTFS sha 


Segment Size: No Segments 


CISHA256 


Destination(s}: 


c 


All devices formatted with a recognizable file system are listed in the left side of the Image view. 
Device icons appear according to the type of each device. You can expand the list for any physical 
device that contains slices or partitions. 


This is the information you can see in the Image view. 


e internal physical hard drive {disk0) 
e connected storage devices 


You can choose the image format, the size of image segments, the hashing, and the destination. 
The more hash function options you choose, the longer it will take to create the image. If time is 
limited, you should select only the necessary options. 


If you formatted the DCData partition with NTFS, you cannot write to the DCData partition from a 
Windows computer started from the Digital Collector SSD. You can either format the DCData 
partition to exFAT or, if you must write to a destination formatted NTFS, you can use your own 
storage device as the destination. 


If you select an E01 image format, an image may be acquired onto no more than two destination 
volumes or folders. An E01 image will contain the MD5 and SHA-1 hash value within the image if 
these hash options are selected. 


The RAW image format does not store the hash value within the image. If you select the RAW 
image format, an image may be acquired to unlimited destination volumes or folders. 
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Create an Image of a Windows Computer 


1. 
2. 


On the left side of the Image view, select a device or a partition as the source. 
In the Format field, choose the appropriate option. 


e RAW 

e E01 (Uncompressed) 

e E01 (Empty Block Compression] 
e 01 (Fast Compression] 

e 01 (Best Compression) 


In the Segment Size field, select the appropriate size of segments for this image or specify a 
custom segment size. 

You may leave this set to No Segments. 

For Hashes, mark the checkboxes for the hash verification values to calculate for this image. 


e MD5 (Message Digest 5) 
e SHAI (Secure Hash Algorithm 1) 
e SHA256 (Secure Hash Algorithm 2, 256-bit length] 


Below the bottom left corner of the Destination(s) list box, click + (Add) to add a destination 
volume or folder. 

To remove a destination, select the folder or volume name in the Destination(s) list box and 
click - (Remove), or press DELETE. 

To create the image, click Image Device. 

Type the name of the image that will be created, and then click Continue. 

If there is not enough available space in the destination, a message indicates how much 
Space is available on the destination drive and the space required to successfully acquire the 
image from the source. Digital Collector does not estimate the size of a compressed image. 
Take this into consideration and proceed with caution. 

The Activity window and the Imaging in progress banner appear. 


G Activity = x 


Stop All Clear Completed 


Imaging \\.\PhysicalDrive2 to testTP 


| Imaged 98.0 MB (79.56%) [359.73 MBs/min] - Time remaining: 4 seconds 


The Activity window indicates progress in terms of bytes complete, percentage complete, and 
estimated time remaining. If you need to step away from the source machine during acquisition, 
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you can type a custom message in the Comments field on the Imaging in progress banner to 
remind you of what Digital Collector is doing. 


Hashes are computed after the image is created. The hash values appear in the Activity window 
and are also stored in the Acquisition Log.txt file, which is created in the image destination folder. 
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© Activity 
Stop All Clear Completed 


Imaged \\.\PhysicalDrive2 to testTP 


MDS: 348E0D994A7027516A4844A476845702 
SHA1: 361FC9A21B08E6A1E22FB59BBF4494801C69520F 


Image complete. 


x 
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Imaging Mac Computers 


Cellebrite Digital Collector detects all connected computers, drives, and storage devices 
formatted with a recognizable file system, and lists them tn the left side of the Image view. Icons 
appear according to the type of each device. You can expand the list for any physical device that 
contains slices or partitions. 


This is the information you can see in the Image view. 


e source system physical memory (RAM) 
internal physical hard drive (disk0) 

e internal CoreStorage logical volume (disk1] 
e external USB device [disk3] 

e APFS Disk Image (disk4] 

e APFS Container [disk5] 


Slices and partitions are shown below the corresponding physical device. The slice or partition 
icon indicates file system type and content. 


E Physical Memory (16.0 GB) 

v a diskO - APPLE SSD SM1024L (931.8 GB) - PCI-Express 

LJ EFI (300.0 MB) - diskOs1 - EFI 

5) Recovery HD (619.8 MB) - diskOs3 - Apple_Boot 

[ENCRYPTED CoreStorage - disk1 contains decrypted data] diskOs2 
v a disk1 - CoreStorage Logical Volume (930.6 GB) - decrypted data from diskOs2 

a) MacHD (930.6 GB, 806.4 GB used) - disk1 - Mac OS Extended (Journaled, Encrypted) 
v a disk3 - ToughTech m3 (698.6 GB) - USB 

(m) EFI (200.0 MB) - disk3s1 - EFI 

o) Images (697.7 GB, 552.7 GB used) - disk3s2 - Mac OS Extended (Journaled) 

B) Recovery HD (619.8 MB) - disk3s3 - Apple_Boot 
v a disk4 - Disk Image (953.6 MB) - Disk Image 

5j [APFS Container - disk5 contains the APFS volumes] - (953.6 MB) - disk4s1 
v a disk5 - APFS Container (synthesized) (953.6 MB) - Virtual - data from 1 

o) APFS_test (953.6 MB, 1.3 MB used) - disk5s1 - APFS (Case-insensitive) - select the APFS 

g vol2 (953.6 MB, 1.2 MB used) - disk5s2 - APFS (Case-insensitive) - select the APFS contain 


These are the types of physical devices. 


Drive Type 


a 
[e] 
5 


Internal Hard Drive 


a 


External USB Device 


— 


External FireWire Device 


RAID Array 


) ll 
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These are the types of logical devices. 


Icon Drive Type 


LJ EFI or undefined Slice/Partition 


Windows File System 


Apple File System 


Apple Memory 


of Apple Core Storage 
For more information, see these topics: 


e Unlocking and Imaging CoreStorage FileVault 2 Volumes 
e Imaging CoreStorage Fusion Volumes 
e Imaging Single Disk [default] CoreStorage Volumes 


Imaging Considerations for macOS 


This topic identifies capabilities and constraints in specific circumstances for macOS versions 
supported by the most recent version of Digital Collector. 


Cellebrite cannot ensure that Digital Collector will run properly on initial versions of major 
macOS releases, such as 12.0. or 12.1. Support is generally declared by the time later versions 
are released, such as 12.2. 


M1 Mac Computers 
Digital Collector is supported on M1 computers running macOS 11 and 12. 


You can create images of source M1 Mac computers running macOS 11 and 12 either running 
live or when started from the Digital Collector SSD {booted from the DC ARM volume}. To see the 
boot environment on M1 computers, you must hold down the power button until it appears. This 
may take many seconds. You may then be prompted to do one of these actions: 


e Select a user account that can unlock the operating system disk and provide a password for 
that account. 

e Provide the iCloud email address and password of a user that can unlock the operating 
system disk. 


You can image live APFS volumes that are mounted read/write. [A KEXT is no longer required.) 
During this process the volume is locked/frozen. This can cause behavior that seems unusual 
until imaging is complete. 
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Note: To create an image while Digital Collector is running live on macOS 12 Monterey, you must 
first disable System Integrity Protection (SIP). You can search online for instructions. 


Under rare conditions when creating an image [due to an Apple bug], the last few blocks may be 
allocated and not readable. This failure is detected early in the imaging process and an 
explanation is written to the error log along with the suggestion that you should instead acquire 
a logical data collection. 


Some volumes in a macOS APFS container may unavoidably be mounted read-write. Digital 
Collector automatically remounts those volumes as read-only. This action does trigger an 
innocuous write on the computer being imaged, such as to a log file. 


e On macOS 11, the pre-boot and main data volumes are affected. 

e On macOS 12, only the main data volume is affected. 

e Volumes created by the user, both within the operating system APFS container and in newer 
user-created APFS containers, are affected. 


Due to NTFS driver limitations on newer versions of macOS, Digital Collector cannot write to an 
NTFS-formatted drive. Previous versions of Digital Collector [including Legacy 2019} have full 
NTFS support. These legacy boot versions are available on the Digital Collector device. 


Be aware of possible constraints with the specific circumstances described here. 
Big Sur 11 


If the computer is running macOS 11.2, the user interface may respond very slowly. (M1 Macs 
running macOS 11.4 and later are not affected.) 


In rare cases, computers running macOS 11.0 or 11.1 may not start from Digital Collector's boot 
environment. If this happens, connect the Digital Collector SSD to the subject computer while it 
is running live or use Disk Sharing Mode. 


APFS and All Types of Hardware Encryption 


The workflow for imaging APFS volumes with all types of hardware encryption [T2 or M1] is 
consistent and requires unlocking from within Digital Collector. 


1. In the Image view, determine whether there are encrypted volumes that you do or may have a 
password for. 

2. For each of those volumes, click Tools > Mount Device, unlock the volume, and then mount it. 

3. In the Image view, select the device and click Image Device. 
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File Systems, T2, FileVault 2 


This chart can help you determine which device should be imaged, and when FileVault 2 must be 
unlocked before creating images. The actual disk numbers may differ from this depending on 
the specific circumstances for acquiring each image. 


e Parent physical disk is typically diskO 

e Operating system APFS container disk is typically disk1 

e Operating system APFS Fusion container disk (merged data from disk0 and disk‘) is typically 
disk2 


File System/ | Fusion | FileVault 2 | Imaging 
T2 Enabled 
No No Image parent physical disk. 
Yes No Image operating system APFS Fusion container disk. 
HFS Plus No Yes Image parent physical disk. 
Yes Yes 1. Unlock encrypted FileVault 2 data. 
2. Image decrypted operating system APFS Fusion 
container disk. 
No No Image parent physical disk. (Required if Bootcamp is 
present.] 
or 
APES Image operating system APFS container disk. 
Yes No Image operating system APFS Fusion container disk. 
No Yes Image parent physical disk. ` 
Yes Yes Image operating system APFS Fusion container disk. ` 
No No Image operating system APFS container disk. * 
Yes No Image operating system APFS Fusion container disk. ° 
_ | No Yes 1. Unlock encrypted FileVault 2 data. 
APFS T2 chip 2. Image operating system APFS container disk. * 
Yes Yes 1. Unlock encrypted FileVault 2 data. 
2. Image operating system APFS Fusion container 
disk. * 


' On APFS computers without a T2 chip, FileVault 2 encrypted data can be decrypted later, during 
analysis with Inspector. 


? On computers with a T2 chip, you must provide a user login and password or Recovery Key 
during acquisition. 
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Acquire a Physical or Logical Image of a Mac Computer 


You can create images of connected computers, drives, and storage devices. You can also create 
images of live APFS volumes that are mounted read/write. During this process the volume is 
locked/frozen. This can cause behavior that seems unusual until imaging is complete. 


1. On the Digital Collector toolbar, click Image. 


ee Digital Collector 


CESR- 


Case Browser Search Collection | 


om Xx 


jolumes/ExFAT 


Image Device 


c 


2. On the left side of the Image view, select a device or device partition. 
If the source device is a physical device, Digital Collector can create a bit-by-bit forensic 
image. lf the source device is a logical slice or partition, Digital Collector can create a bit-by- 
bit forensic image. CoreStorage Logical Volumes include both allocated and unallocated 
space. This flexibility allows you to select and quickly acquire data if a full forensic image is 
not necessary or if time is limited. 

3. Specify where the image will be saved. 
You can select multiple image destination locations. Below the bottom left corner of the 
Destination(s) list box, click + (Add) to add a destination volume or folder. To remove a 
destination, select the volume name in the Destination(s) list box and click - (Remove), or 
press DELETE. 
If this computer was started from the Digital Collector SSD, you may see this message: 
iCloud Drive may not work properly. 
Click OK and continue with choosing the destination. 

4. Specify the format for the image. 
If you select the Raw or DMG image format, an image may be acquired to unlimited 
destination volumes or folders. 
If you select the E01 image format, an image may be acquired to two destination volumes or 
folders. If you select the E01 image format and more than two destination volumes or 
folders, you see this message: Warning: Too many destinations specified for the 
selected format. In this case, you should remove a destination volume or folder. 
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Apple File System Considerations 


The Apple File System [APFS] replaced Mac OS Extended format (HFS Plus, or hierarchical file 
system] as the default file system as of macOS High Sierra 10.13. APFS is much different than 
Mac OS Extended format. APFS does not define a volume; rather it implements a container 
which can host several volumes in it. APFS was designed for solid state drives, but it can work 
with traditional drives. 


APFS Container 
2 


The APFS container by default does not have a limit on the size or location of the volumes within 
it. Unlike traditional partitions on disk, where sectors are allocated for each volume before they 
can be used, APFS allows all volumes to share a common pool of extents and they all report 
having total free space as the same. This also means that data from all volumes is interspersed, 
and that volumes are not contiguous. Space in the logical container pool can be used by one or 
more APFS volumes. APFS volumes grow and shrink by allocating unused blocks from the 
logical container pool and returning those blocks when files are deleted and space is freed. Each 
APFS container only knows about the blocks used by its own active files, and unallocated space 
is managed within the logical container pool. Because APFS volumes within a container are not 
traditional partitions, these volumes in the container cannot be individually imaged. 


If you choose to run Cellebrite Digital Collector live on a source computer, keep in mind that on 
macOS 10.13 and later, while System Integrity Protection (SIP) is active, no user [not even root] 
can read the physical disk the computer is currently started [booted] from, the physical partition 
the computer is currently booted from, or the APFS container that holds the currently booted 
volume. This makes it impossible to image the physical disk. To image, you must either boot the 
source computer with Digital Collector or attach the source computer in target disk mode (TDM) 
to another system with macOS 10.13 or later running Digital Collector. For more information, 
see these topics. 


e Starta Mac Computer with Digital Collector 
e Connect a Source Mac Computer in Target Disk Mode 


If you disable SIP, the APFS container can be imaged when you run Digital Collector on a live 
source computer. You must authenticate with an admin username and password when you start 
Digital Collector. For more information, see Imaging Considerations for macOS. 
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When APFS is encountered, Digital Collector shows an additional device for the APFS container. 
Digital Collector can image the physical disk device or the synthesized container. When booted to 
Digital Collector, the physical disk is generally diskO and the synthesized APFS container is 
generally disk1. 


v a diskO - APPLE SSD SM512E (465.9 GB) - SATA 
mi EFI (200.0 MB) - diskOs1 - EFI 
(Gd [APFS Container - disk1 contains the APFS volumes] - (465.7 GB) - diskO 
v ga disk1 - APFS Container (synthesized) (465.7 GB) - Virtual - data from diskQs2 
& MacsSD - Data (465.7 GB) - disk1s1 - Seas) APFS (unlocked) 
L Preboot (465.7 GB) - disk1s2 - APFS - select APFS container disk’ tc 
Recovery (465.7 GB, 499.2 MB used) - disk1s3 - APFS - sel 
vu (465.7 GB, 2.0 GB used) - disk1s4 - APFS - select APFS c er disk1 to image 
L MacssD (465.7 GB) - disk1s5 - [ENCRYPTED APFS faery select APFS contai 
v Bhai disk3 - My Passport 0820 (1.8 TB) - USB 
id My Passport (1.8 TB, 521.6 GB used) - disk3s1 - Mac OS Extended (Journaled) 


In this example, the APFS Container shows the volume Macintosh HD is locked. This indicates 
that FileVault 2 is in use; the FileVault Recovery Key or a user account login password is required 
to unlock the volume for logical data collection. 


For Mac computers without the T2 chip, the physical disk should be imaged to capture all data. 
When the physical disk is imaged, all the data on the device is captured for analysis, including 
other partitions that are not in the APFS Container. Encrypted partitions within the APFS 
Container will be imaged in the encrypted state and decrypted during the analysis phase of 
examination when FileVault 2 credentials are provided. 


The APFS Container can also be imaged separately, but the other data on the drive will not be 
captured. 


APFS Fusion Drives 


With the release of macOS Mojave 10.14, Apple provided an implementation for APFS Fusion 
drives. The APFS logical container pool may consist of blocks that span across multiple physical 
partitions. APFS logical containers allow all volumes in the container to share a common pool of 
extents; data from all volumes is interspersed and volumes are not contiguous. This 
necessitates an imaging tool that can handle imaging non-contiguous APFS containers. Since 
synthesized APFS containers do not have a limit on the size or location of the volumes within it, 
creating a bit-by-bit physical image is not realistic. 


Digital Collector performs a physical acquisition that attempts to collect data as It exists on the 

disks, including data not available through the file system interfaces, providing more options for 
analysis and recovery of historical or deleted data. A physical image created by Digital Collector 
can provide access to APFS “Free Queue” blocks, APFS Snapshots, and data hidden in file slack. 


To image non-contiguous APFS containers, Digital Collector creates an image using the open 
standard Advanced Forensic File Format [AFF4] image format. AFF4 is supported by a number of 
popular forensic tools, including Inspector. It provides modern compression algorithms and the 
flexibility required to efficiently image non-linear data found on APFS Fusion drives. 
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When loaded in Digital Collector, the volumes on the physical drives used to create the APFS 
logical containers are identified with this label, in red: APFS Container (Fusion). The label also 
indicates the disk of the synthesized APFS container, the volumes used to create the synthesized 
container, and whether they are locked. 


E Physical Memory (16.0 GB) 
Y Bi disko - APPLE SSD SM128E (113.0 GB) - SATA 
() EFI (200.0 MB) - diskOst - EFI 
[o [PFs Container (Fusion) - disk2 contains the APFS volumes) 
Y Ba disk1 - APPLE HDD HTS541010A9E662 (931.5 GB) - SATA 
{LJ EFI (200.0 MB) - disk1s1 - EFI 
La [APFS Container (Fusion) - disk2 contains the APFS volumes) 
w Gi disk2 - APFS Container (synthesized) (1.0 TB) - Virtual 
(a! Macintosh HD - Data (1.0 TB) - disk2s1- [ENCRYPTED APFS (LOCKED)] 
(a) Preboot (1.0 TB) - disk2s2 - APFS 
(a! Recovery (1.0 TB) - disk2s3 - APFS 
(ae! VM (1.0 TB) - disk2s4 - APFS 
(a Macintosh HD (1.0 TB) - disk2s5 - [ENCRYPTED APFS (LOCKED)} 


In this example, disk0s2 and disk1s2 form the APFS container. The synthesized APFS container 
is represented by disk2. 


If the physical disk contains other volumes, such as a Bootcamp volume, they must be imaged 
separately. Any encrypted partitions within the APFS container can be imaged in the encrypted 
state and decrypted during the analysis phase of examination when FileVault 2 credentials are 
provided. The encrypted partitions can also be unlocked before acquisition to perform a logical 
data collection. 


The APFS container indicates the disks and partitions used to create the synthesized container 
and whether they are locked. 


Image an APFS Fusion Drive 


Encrypted containers do not have to be unlocked before you create a physical image of an APFS 
Fusion drive. The destination file system cannot be formatted FAT32 due to file size limitations. 
The image can only be saved to a single destination because AFF4 images cannot be segmented. 


1. On the Digital Collector toolbar, click Image. 
2. Select the disk that represents the synthesized APFS Container [disk2 in this example}. 


E Physical Memory (16.0 GB) 

w Ba disko - APPLE SSD SM128E (113.0 GB) - SATA Format: | AFF4 (Compressed) id 

(La) EFI (200.0 MB) - diskOs1 - EFI A = 

LS [APFS Container (Fusion) - disk2 contains the APFS volumes} 2.8 GB k0s2 Segment Size: | No Segments 

¥ Bi diski - APPLE HDD HTS541010A9E662 (931.5 GB) - SATA 
(o EFI (200.0 MB) - disk1s1 - EFI 

LS [APFS Container (Fusion) - disk2 contains the APFS volumes] SHA1 

nthesi 


SHA256 


Hashes: Œ MD5 


(a Macintosh HD (1.0 TB, 10.7 GB used) - disk2s1 - APFS 

L Preboot (1.0 TB) - disk2s2 - APFS 

(a) Recovery (1.0 TB) - disk2s3 - APFS 

E] VM (1.0 TB) - disk2s4 - APFS t T Destination(s): 
(Nolumes/MQData 


Include Unallocated Image Device 


3. Choose the AFF4 image file format, either uncompressed or compressed. 
4. Choose the appropriate hashes. 
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5. Below the bottom left corner of the Destination list box, click + (Add) to add the destination 
volume or folder. 

6. Ifyou want the image to include unallocated space, mark the Include Unallocated checkbox. 

7. Click Image Device. 


Hashes selected on the Image view are computed after the image is created. The hash values 
appear in the Activity window and are stored in the Acquisition Log.txt file created in the image 
destination folder. 


Unlock an APFS Fusion Drive 


Encrypted containers must be unlocked before you can collect targeted data. 


1. On the Digital Collector toolbar, click Tools > Mount Device, and then select the locked 
volume. 
2. Inthe bottom right corner of the Tools view, click Unlock Selected Device (Read Only). 


i) Enter a password, a recovery key or provide the keychain 
4 re] > file to unlock 'disk0s2'. 


= 
Password: | 
Recovery Key: 


Select Keychain File... Cancel 


3. Choose the appropriate option to provide credentials to unlock the volume. 


e In the Password field, type a password [one of the user account login passwords]. 

e Inthe Recovery Key field, type the recovery key. 

e lf you are an Enterprise user, click Select Keychain File, and then browse to select the 
FileVault.keychain file. 


4. Click Unlock. 
After the volume is unlocked, the Mount Device tab appears with the volume as read-only. 

5. On the Digital Collector toolbar, click Collection and select data for a targeted collection. For 
more information, see Collection View. 
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Imaging M1 Mac Computers 


Creating an image of an M1 Mac is similar to creating an image of a T2 Mac. For more 
information, see Imaging Mac Computers with T2 Chips. 


These are the key points you should be aware of. 
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To create an image while Digital Collector is running live on macOS 12 Monterey, you must 
first disable System Integrity Protection (SIP). You can search online for instructions. 

An M1 Mac may require the password for an admin account when starting from an external 
drive such as Digital Collector. 

When you start an M1 Mac from Digital Collector, you must hold down the power button for 
ten seconds to see the boot environment. 


Untitled DC ARM Boot Options 


Select DC ARM Boot and click Continue. 
You may then be prompted to do one of these actions: 


o Select a user account that can unlock the operating system disk and provide a password 
for that account. 

o Provide the iCloud email address and password of a user that can unlock the operating 
system disk. 

As with T2 Macs, the Macintosh HD data volume must be unlocked and mounted read-only. 

Volumes are mounted read-write by the operating system's Recovery Assistant. Digital 

Collector automatically attempts to unmount any volumes that are read-write. If any data 

volumes are not mounted, click Tools > Mount Device to mount them as read-only. 

Some volumes from the macOS APFS container may unavoidably be mounted read-write. 

Digital Collector automatically remounts those volumes as read-only. This action does 

trigger an innocuous write on the computer being imaged, such as to a log file. 

o On macOS 11, the pre-boot and main data volumes are affected. 

o OnmacOS 12, only the main data volume is affected. 

o Volumes created by the user, both within the operating system APFS container and in 
newer user-created APFS containers, are affected. 

If iCloud Lock is enabled for the computer, you must provide the iCloud email address and 

iCloud password. 

If the computer is running macOS 11.2, the user interface may respond very slowly. M1 Macs 

running macOS 11.4 and later are not affected. 
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Imaging Mac Computers with T2 Chips 


Beginning in 2017, some Mac computers were built with Apple's T2 security chip, which provides 
hardware-assisted encryption for data stored on the computer. T2 chips are embedded into the 
disk controller and contain unique encryption keys. Encryption provided by the T2 chips works In 
conjunction with FileVault 2. When FileVault 2 is enabled, the Recovery Key or password is 
required to decrypt the data. 


By default, all APFS volumes that contain user data on T2-protected computers are encrypted. 
The only way to decrypt the data is to use Information embedded in the T2 chip for its T2- 
protected computer. Currently, it is not possible to extract encryption keys from the T2 chip. If 
the T2 chip is damaged, data can never be recovered from the drive. 


Cellebrite Digital Collector interfaces with the T2 chip to decrypt the file system at collection 
time, providing a physical image. Since the T2 chip is responsible for all encryption, all data must 
be decrypted during acquisition; It is not possible to decrypt the data at analysis time. Digital 
Collector can also decrypt unallocated space. However, research and testing have revealed there 
is minimal data that remains in unallocated space after deleting files on Mac computers with a 
T2 chip. To save time, you can enable the option to skip imaging unallocated space. 


These are the ways you can acquire decrypted data from a Mac computer with a T2 chip using 
Digital Collector. 


Source Digital Collector Requirements and 

Computer Constraints 

Running Connect the Digital Collector SSD to the source | While some user data can be 
computer obtain a live logical data collection. collected without a password, 
For more information, see these topics. an administrator password is 


e Launch Digital Collector on a Live Mac eA Mee Ol MINEK EELEE 


Computer Cannot acquire an image. 
e Collecting Data from a Source Computer Makes changes to the source 


computer. For more 
information, see Appendix: 
Changes to Live Computers. 
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Source Digital Collector Requirements and 
Computer Constraints 
Not The most forensically sound method requires a | Does not require an 
running host computer, which must be a Mac computer | administrator password for 
model from 2012-2019. Put the source the source computer. 
computer into target disk mode [TDM], start If Digital Collector detects that 
your host computer with Digital Collector, and FileVault 2 is enabled, you 
connect the source to the host. must be able to unlock it. 
Creating an image is recommended. Creating an image requires 
Obtaining a logical data collection is useful either the FileVault 2 
when you cannot create an image. password or the Recovery Key. 
For more information, see these topics. Creating a logical collection 
e Connect a Source Mac Computer in Target | requires either the FileVault 2 
Disk Mode password, the Recovery Key, 
e Start a Mac Computer with Digital Collector | or the keychain file. 
e Collecting Data from a Source Computer 
Not If you do not have a host computer, change the | Requires an administrator 
running secure start settings on the source computer, password to change the 
and then use the startup manager on the source computer's secure 
source computer to start it with Digital start settings. 
Collector. If Digital Collector detects that 
Creating an image is recommended. FileVault 2 is enabled, you 
Obtaining a logical data collection is useful must be able to unlock it. 
when you cannot create an image. Creating an image requires 
For more information, see these topics. either the FileVault 2 
e Start a Mac Computer with Digital Collector Papawe Or never Ng, 
e Collecting Data from a Source Computer Creating a logical collection 
requires either the FileVault 2 
password, the Recovery Key, 
or the keychain file. 
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When a T2 computer is started from Digital Collector, the physical disk displays this label in red: 
APFS Container (T2). 


Seo Digital Collector 


Destination(s): 


c 


If the physical disk is imaged (disk0 in this example), the resulting image is encrypted. The 
information needed for decryption is on the T2 chip, so decryption must occur during acquisition. 
For Digital Collector to decrypt the macOS data, the synthesized APFS container needs to be 
imaged. If the synthesized APFS container contains locked volumes, you must enter the FileVault 
Recovery Key or a user account password to unlock the volume. 


e When you obtain a decrypted physical image, unlocking FileVault is built into the workflow 
after you click Image Device. 

e When you obtain a decrypted logical collection, you must first unlock FileVault in Tools > 
Mount Device. 


If the physical disk contains other volumes, such as a Bootcamp volume [not encrypted], they 
must each be imaged separately. 


As the APFS container on the computer is acquired, Digital Collector interfaces with the T2 chip 
to decrypt the T2-protected data, creating a decrypted physical image. Pre-image hashing is not 
valid because the data is decrypted during the acquisition process. To create the physical image, 
Digital Collector creates an image using the open standard Advanced Forensic File Format 
(AFF4] image format. AFF4 provides modern compression algorithms and the flexibility required 
to efficiently image non-linear data, the APFS container, while optionally skipping data such as 
the unallocated space. 
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Acquire a Decrypted Physical Image of an APFS T2 Container 


Unlocking FileVault 2 is built into the Digital Collector workflow for creating a decrypted physical 
image of an APFS container. Using the Mount Device tool in Digital Collector independently 
cannot create a decrypted physical image. 


1. In the Digital Collector toolbar, click Image. 

2. On the left side of the Image view, select the APFS Container. 

3. In the Format field, choose AFF4 (Compressed) or AFF4 (Uncompressed). AFF4 images 
cannot be segmented. They can only be saved to one destination and cannot be saved to 
FAT32 formatted drives due to file size limitations in FAT32. 

4. In Hashes, choose the appropriate hash types. Hashes selected on the Image view are 
calculated after the AFF4 image is created. 

5. Below the bottom left corner of the Destination list box, click + (Add) to add a destination 
volume or folder. 


@ Physical Memory (32.0 GB) 

¥ (Bh disko - APPLE SSD AP1024M (931.8 GB) - PCI-Express (OEE v <Select Format> 

(as EFI (300.0 MB) - diskOst - EFI 

APES Container (T2) - diskt 
kt ~ Al 


Segment Size: AFF4 (Uncompresse d) i 


tains the APFS volumes! 


Hashes: [MDS 


931.5 GB) - Virtual 
ID (931.5 GB) - diskis1 - [ENCRYPTED APFS (unlocked) 
wa 11.5 GB) - diskts2 - APFS O SHAI 
[E Recovery (931.5 GB) - diskts3 - APFS SHA2SS 
(as VM (931.5 GB) - disk1s4 - [ENCRYPTED APFS (LOCKED)) 


Destination(s) 


(Nolumes/MQData/Destination 


6. To save time by excluding unallocated space from the image, unmark the Include Unallocated 
checkbox. 


Include Unallocated Image Device 


7. Click Image Device. 
8. If FileVault 2 is enabled, a FileVault 2 message appears. 
You must provide credentials to unlock the volume. Choose one of these actions. 


e lf you have account credentials for this computer, type the password in the Password 
field. 
e If you have the recovery key for this computer, type it in the Recovery Key field. 


9. Click Unlock. 
Digital Collector starts creating a fully decrypted physical image. 
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Unlocking and Imaging CoreStorage FileVault 2 Volumes 


If you connect the Cellebrite Digital Collector solid state drive (SSD) to a live source computer 
and it has an encrypted CoreStorage (FileVault 2) boot volume or attached device, that data is 
unlocked and accessible. 


In the Digital Collector toolbar, click Image. 


I Physical Memory (16.0 GB) 
v E] diskO - APPLE SSD SM1024L (931.8 GB) - PCI-Express 
td EFI (300.0 MB) - diskOs1 - EFI 
a) Recovery HD (619.8 MB) - diskOs3 - Apple_Boot 
(ef [ENCRYPTED CoreStorage - disk1 contains decrypted data] diskOs2 
v E] disk1 - CoreStorage Logical Volume (930.6 GB) - decrypted data from diskOs2 
B MacHD (930.6 GB, 806.4 GB used) - disk1 - Mac OS Extended (Journaled, Encrypted) 
v EA disk3 - ToughTech m3 (698.6 GB) - USB 
= EFI (200.0 MB) - disk3s1 - EFI 
g Images (697.7 GB, 552.7 GB used) - disk3s2 - Mac OS Extended (Journaled) 
o) Recovery HD (619.8 MB) - disk3s3 - Apple_Boot 
há a disk4 - Disk Image (953.6 MB) - Disk Image 
Q [APFS Container - disk5 contains the APFS volumes] = (953.6 MB) - disk4s1 
há a disk5 - APFS Container (synthesized) (953.6 MB) - Virtual - data from disk4s1 
o) APFS_test (953.6 MB, 1.3 MB used) - disk5s1 - APFS (Case-insensitive) - select the APFS container's disk(s) tc 
o) vol2 (953.6 MB, 1.2 MB used) - disk5s2 - APFS (Case-insensitive) - select the APFS container's disk(s) to imag 


Digital Collector identifies which disk is the decrypted CoreStorage logical volume in red text, for 
example [ENCRYPTED CoreStorage - disk1 contains decrypted data]. In this example, you would 
select disk1 to image the decrypted and now readable data. 


If you know or can recover a boot volume CoreStorage decryption password or decryption 
Keychain file, a full disk image might be acquired by booting to the Digital Collector SSD and 
following these Instructions. 


Unlock a CoreStorage Volume 


1. To dismiss the full volume encryption warning message and launch Digital Collector, click 
Continue. The Digital Collector window appears. 

2. On the Digital Collector toolbar, click Tools. 

3. Click Mount Device, and then select the CoreStorage volume, as shown here. 


Erase Device Terminal Hash Device Hash Image File 


Partition Volume Writable Media Writable Volume 
[EFI (200.0 MB, 0 Bytes used) - diskOs1 - EFI EFI True Not Mounted 
& Hitachi HTS727575A9E362 (697.8 GB, 0 Bytes used) - disk0s2 - Apple_CoreStorage MacintoshHD Not Mounted 
{& Recovery HD (619.8 MB, 0 Bytes used) - diskOs3 - Apple_Boot Recovery HD True Not Mounted 
( EFI (200.0 MB, 0 Bytes used) - disk1s1 - EFI EFI True Not Mounted 
[E MacQuisition 2017R1 (1.8 GB, 0 Bytes used) - disk1s2 - Apple HFS MacQuisition 201... True Not Mounted 
{E MacQuisition Secondary (1.3 GB, 1.2 GB used) - disk1s3 - Mac OS Extended MacQuisition Sec... True Read Only 
[E Macauisition Legacy (883.7 MB, 881.8 MB used) - disk1s4 - Mac OS Extended MacQuisition Lega... True Read Only 
[E mapreterences (122.0 MB, 12.8 MB used) - disk1s6 - Mac OS Extended (Journaled) MaPreferences True Read/Write 
[E Application (95.3 MB, 82.0 MB used) - disk185 - Mac OS Extended Application True Read Only 
[Æ MaData (2.4 GB, 25.5 MB used) - disk1s7 - Mac OS Extended (Journaled) MaData True Read/Write 


Unlock Selected Device (Read Only) X 
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If the source computer is booted to the Digital Collector SSD, click Unlock Selected Device 
(Read Only). 


Enter a password, a recovery key or provide the keychain 


4 @ > fileto unlock 'disk0s2'. 
Password: | 
Recovery Key: - - - - - 
Select Keychain File... Cancel 


Provide credentials to unlock the CoreStorage volume using the appropriate option. 


e Inthe Password field, type a password [often one of the user account login passwords]. 

e Inthe Recovery Key field, type the recovery key. 

e lf you are an Enterprise user, click Select Keychain File, and then browse to select the 
FileVault.keychain file. 


Click Unlock. 

After the CoreStorage volume is unlocked, the Mount Device tab appears with the decrypted 
read-only mounted CoreStorage disk. The CoreStorage logical volume mounts as a Separate 
disk after it is decrypted. 


Erase Device Terminal Hash Device Hash Image File 


Partition Volume Writable Media Writable Volume 
(ug! EFI (200.0 MB, 0 Bytes used) - diskOs1 - EFI EFI True Not Mounted 
E Hitachi HTS727575A9E362 (697.8 GB, O Bytes used) - diskOs2 - Apple_CoreStorage MacintoshHO True Not Mounted 
LD Recovery HD (619.8 MB, O Bytes used) - diskOs3 - Apple_Boot Recovery HD True Not Mounted 
(4d EFI (200.0 MB, 0 Bytes used) - disk1s1 - EFI EFI True Not Mounted 
LD MacQuisition 2017R1 (1.8 GB, 0 Bytes used) - disk1s2 - Apple_HFS MacQuisition 201... True Not Mounted 
B MacQuisition Secondary (1.3 GB, 1.2 GB used) - disk1s3 - Mac OS Extended MacQuisition Sec... True Read Only 

[E MacQuisition Legacy (883.7 MB, 881.8 MB used) - disk1s4 - Mac OS Extended MacQuisition Lega... True Read Only 

al Application (95.3 MB, 82.0 MB used) - disk1s5 - Mac OS Extended Application True Read Only 

B MQPreferences (122.0 MB, 11.0 MB used) - disk1s6 - Mac OS Extended (Journaled) MQPreferences True Read/Write 


[E Manata (2.4 GB, 25.3 MB used) - disk1s7 - Mac OS Extended (Journaled) MQData True Read/Write 


E MacintoshHD (697.4 GB, 9.2 GB used) - disk20 - Mac OS Extended MacintoshHD Read Only 


Make Selected Device Read/Write 


23." Cellebrite 


May 2022 Digital Collector User Guide 


Imaging a Decrypted CoreStorage Disk 
On the Digital Collector toolbar, click Image. 


These items related to CoreStorage appear: the encrypted volume and the decrypted logical 
volume. 


E Physical Memory (8.0 GB) 
w Bi disko - Hitachi HTS727575A9E362 (698.6 GB) - SATA Format: Raw B 
EFI (200.0 MB, O Bytes used) - diskOs1 - EFI 
J [ENCRYPTED CoreStorage - disk20 contains decrypted data] diskO: Segment Size: No Segments 
{A Recovery HD (619.8 MB, O Bytes used) - diskOs3 - Apple Boot 
v [E disk - MKNUFDVS8GB (7.3 GB) - USB 
(ua EFI (200.0 MB, O Bytes used) - disk1s1 - EFI SHA1 


Hashes: MD5 


(a Macauisition 2017R1 (1.8 GB, 0 Bytes used) - disk1s2 - Apple HFS SHA256 
LS Macauisition Secondary (1.3 GB, 1.2 GB used) - disk1s3 - Mac OS Extended 
LA Macduisition Legacy (883.7 MB, 881.8 MB used) - disk1s4 - Mac OS Extended 
(a Mapreterences (122.0 MB, 12.8 MB used) - disk1s6 - Mac OS Extended (Journaled) 
(a Application (95.3 MB, 82.0 MB used) - disk1s5 - Mac OS Extended 
(a Mapata (2.4 GB, 25.5 MB used) - disk1s7 - Mac OS Extended (Journaled) 

E disk20 - CoreStorage Logical Volume (697.4 GB) i 
LA MacintoshHD (697.4 GB, 9.3 GB used) - disk20 - Mac OS Extended 


Destination(s): 


In this example, diskO contains the encrypted CoreStorage volume. After a CoreStorage volume 
is decrypted, it mounts as a separate disk. The decrypted CoreStorage logical volume may not 
appear immediately below the disk containing the encrypted CoreStorage volume. This is due to 
the Mac operating system dynamically assigning BSD names (diskO, disk1, and so forth) to disks 
as they are mounted to the file system. Disk0 and disk1 were already mounted to the file system 
before the CoreStorage volume was decrypted. When the CoreStorage volume was unlocked, the 
Mac operating system mounted the decrypted CoreStorage logical volume as disk20. 


Digital Collector identifies which disk is the decrypted CoreStorage logical volume in red text, as 
in this example: [ENCRYPTED CoreStorage - disk20 contains decrypted data]. In this example, 
you would select disk20 to image the decrypted and now readable data. 


A CoreStorage logical volume has both allocated and unallocated space. 


After a decrypted CoreStorage image acquisition is complete, the disk_core_storage_table in the 
DCTracking.sdb file contains a CoreStorage acquisition record as seen here [viewed using 
Inspector). 


A 
Zi Hex \ SS strings ) Ei] Preview \ & Metadata \ Location © Data Fork 
Tables disk_core_storage_serno disk_core_st... disk_core_storage_log... disk_core_storage_log... disk _core_storage_log... disk core_.* disk _core storage... disk_core_... disk, 
collection_file_table 1 diski Apple_HFS Complete MacSSD 4 478908674048 Online 


collection_table 
collection_task_additional_files 
collection_task_command_datz 
collection_task_custom_data_t 
collection_task_set_table 
collection_task_system_files_d. 
collection_task_table 
collection_task_user_files_data | 
disk_core_storage_table 
disk_in_use_table 
disk_raid_member_set_table 
disk_set_table 

disk_table 

erase_table 

hash_device_table 


hash imana fila cat tabla 


(1 of 8) - /Evidence/MacQ/MacQTracking.sdb 
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Imaging CoreStorage Fusion Volumes 


Apple's first implementation of CoreStorage was FileVault 2. They went on to use the 
CoreStorage logical volume manager to create the Fusion Drive, which is a volume capable of 
Spanning two or more physical disks. 


Cellebrite Digital Collector identifies Fusion and automatically lists the two or more parent 
physical disks and presents the Fusion volume as a single CoreStorage-managed logical 
volume. 


A Physical Memory (16.0 GB) 
w Gi disko - APPLE SSD SM0128F (113.0 GB) - PCI Format: Raw B 
(EFI (200.0 MB, O Bytes used) - diskOs1 - EFI 5 
GH [CoreStorage Fusion - disk2 contains decoded data] disks? Segment Size: No Segments B 
_ Le) Boot OS x (128.0 MB, 0 Bytes used) - diskOs3 - Apple Boot Hashes: EB MOS 
y Gi disk1 - APPLE HDD HTS541010A9E662 (931.5 GB) - SATA 
(a EFI (200.0 MB, 0 Bytes used) - disk1s1 - EFI SHA1 
E] ge Fusion - disk2 contains decoded data] disk1s2 SHA256 
HD (620.0 MB, 0 Bytes used) - disk1s3 - Apple Boot 


O TB) 
[E] ised) - disk2 - Mac OS Extended She 
w [E disk3 - MKNUFDVS8GB (7.3 GB) - USB Destination(s): 
(ud! EF! (200.0 MB, 0 Bytes used) - disk3s1 - EFI 
{a Macauisition 2017R1 (1.8 GB, 0 Bytes used) - disk3s2 - Apple HFS 
{a Macduisition Secondary (1.3 GB, 1.2 GB used) - disk3s3 - Mac OS Extended 
(a) MacQuisition Legacy (883.7 MB, 881.7 MB used) - disk3s4 - Mac OS Extended 
LA Application (95.3 MB, 81.9 MB used) - disk3s5 - Mac OS Extended 
[E Marreferences (122.0 MB, 12.8 MB used) - disk3s6 - Mac OS Extended (Journaled) 
{a Mapata (2.4 GB, 25.6 MB used) - disk3s7 - Mac OS Extended (Journaled) 


In this example, diskO and disk1 are the physical disks that contain the spanned Fusion volume. 
The red text [CoreStorage Fusion - disk 2 contains decoded data] identifies the CoreStorage 
logical volume that contains the decoded and now readable data. Disk2 is the CoreStorage 
Logical Volume containing the merged data from both physical disks, disk0s2 and disk1s2. In 
this example, you would select disk2 to image the combined readable data. 


A CoreStorage Logical Volume has both allocated and unallocated space. 


When Apple ships a Fusion drive, it is not encrypted. The user may decide later to enable 
FileVault 2 encryption. For more information about imaging a Fusion drive with FileVault 2 
encryption, search for blog posts and videos at https://www.cellebrite.com/en/resources. 
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Imaging Single Disk [default] CoreStorage Volumes 


Some computers with OS X El Capitan 10.11.x and later have a standard CoreStorage volume. 
Before the release of APFS, this CoreStorage volume was the Mac operating system default for 
non-FileVault 2 single disk systems. Cellebrite Digital Collector identifies a physical disk that has 
CoreStorage and presents the CoreStorage logical volume. 


@ Physical Memory (8.0 GB) 
w i disko - Hitachi HTS727575A9E362 (698.6 GB) - SATA Format: Raw 
[=] EFI (200.0 MB, O Bytes used) - diskOs1 - EFI 


E [CoreStorage - disk1 contains decoded data] diskOs2 Segment Size: _No Segments B 


al Hashes: MDS. 

¥ Gi disk1 - CoreStorage Logical Volume (697.4 GB) - decoded data from diskOs2 
LS MacintoshHD (697.4 GB, 10.3 GB used) - disk1 - Mac OS Extended SHA1 

v Bil disk2 - MKNUFDVS8GB (7.3 GB) - USB SHA256 
L EFI (200.0 MB, O Bytes used) - disk2s1 - EFI 
LA MacQuisition 2017R1 (1.8 GB, 0 Bytes used) - disk2s2 - Apple_HFS 
(a) Macauisition Secondary (1.3 GB, 1.2 GB used) - disk2s3 - Mac OS Extended 
fa] Destination(s): 


egi 
(a Application (95.3 MB, 81.9 MB used) - disk2s5 - Mac OS Extended 
(a MaPreterences (122.0 MB, 12.8 MB used) - disk2s6 - Mac OS Extended (Journaled) 
(a! Mabata (2.4 GB, 25.3 MB used) - disk2s7 - Mac OS Extended (Journaled) 


In this example, diskO is the physical disk with CoreStorage. The red text [CoreStorage - disk1 
contains decoded data] identifies the CoreStorage logical volume that contains the decoded and 
now readable data. Disk1 is the CoreStorage logical volume with decoded data. As of macOS 
10.12.5, both the physical disk and logical volume of default CoreStorage are decoded and now 
readable. In this example, you could select either diskO or disk1 to acquire readable data. Be 
aware that an image of disk1, the CoreStorage logical volume, will not include the EFI partition 
or Recovery HD partition, which are contained on diskQ, the actual physical disk. 


A CoreStorage logical volume has both allocated and unallocated space. 
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Destination Image File Options 


In Cellebrite Digital Collector, you can select the destination image file format (physical bit-by-bit 
image file or logical acquisition image file}. 


On the right side of the Image view, click Format and choose one of these file types. 


Option | Description 


AFF4 (Compressed)* Create an Advanced Forensic File Format compressed 
image 

AFF4 (Uncompressed)* Create an Advanced Forensic File Format uncompressed 
image 

Raw Create a raw or dd image 

DMG Create an Apple disk image 

E01 (Uncompressed) Create an EnCase uncompressed image 

E01 (Empty Block Create an EnCase compressed image 

Compression) 

E01 (Fast Compression) Create an EnCase compressed image 

E01 (Best Compression] Create an EnCase compressed image 


*AFF4 format is only available for APFS containers. AFF4 must be selected for APFS Fusion 
drives and computers with T2 chips. 


For all image formats except for AFF4, you may want to set segment size for the destination 
image file. This setting determines the size of each destination image file part. For example, if 
you image a 250 GB hard drive and choose the 4 GB segment size, Digital Collector creates 
roughly 62 4-GB file parts. 


On the right side of the Image view, click Segment Size and choose the appropriate size. You can 
choose any of these sizes, or you specify a custom size in MB, GB, or TB. 


e No Segments 


e 640 MB 
e 1GB 
e 4GB 
e 8GB 
e Custom 


Custom Segment Size 


Enter the max size for the image segment files: 


[aei] 
(Cancel | (seta 
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Next, choose hash types for the image. You can mark any or all checkboxes to the left of these 
options. 


e MD5 (Message Digest 5) 
e SHA (Secure Hash Algorithm 1] 
e SHA256 (Secure Hash Algorithm 2, 25- bit length) 


The more hash function options you choose, the longer it will take to create the image. If time Is 
limited, you should select only the necessary options. 


An E01 image will contain the MD5 and SHA-1 hash value within the image if these hash options 
are selected. AFF4, Raw and DMG image formats do not store the hash values within the image. 


Once you have selected all the necessary destination file options, you can create the image. In 
the lower right corner of the Image view, click Image Device. 


a 


Save image with following name: 


disk2 Image 
{Cancel | {Continue | 


Type the name of the image you are creating, and then click Continue. 


If you launch Digital Collector with restricted permissions but the source computer has admin- 
only permission settings, a warning message appears. Relaunch Digital Collector and enter an 
administrator password when prompted. 


The Imaging in progress bar indicates progress in terms of bytes complete, percentage 
complete, and estimated time remaining. If you need to step away from the source computer 
during acquisition, you can type a custom message in the text field. 


Hashes are computed after the image is created. The hash values appear in the Activity window 
and are also stored in the Acquisition Log.txt file, which is created in the image destination folder. 
For more information, see Verify Image Creation. 
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Activity Window 


While an image is being acquired, Cellebrite Digital Collector displays the Activity window. A 
progress bar indicates bytes complete, percentage complete, and estimated time remaining. 


To stop the acquisition process, click Stop All, or on the right side of the progress bar click X. 


( EE Activity 
Stop All Clear Completed 


Imaging /dev/rdisk1 to disk1 Image 


o 


imaged 13.3 GB (35.46%) [6460.74 MBs/min] - Time remaining: 3 minutes 


When acquisition is complete, the Activity window shows the acquisition source, the destination, 
and the MD5 and SHA-1 hash values. If the SHA-256 hash option was also selected, that hash 
value appears in the Activity window and the Acquisition Log. txt file. 


® e Activity 
Stop All Clear Completed 


Imaged /dev/rdisk1 to disk1 Image 


MD5: SD0EA1E58B88054D29773BFD10410B66 
SHA1: D7B5DCC76E554CDDOC88F48C89AC7CEAIFBBEA7O 


Image complete 


Hash Verification 


You can hash and verify an image before, during, and after the image is acquired. For more 
information, see these topics. 


e Setting Preferences on a Mac Computer 
e Setting Preferences on a Windows Computer 


This example shows a post-acquisition Activity window with the verification preference enabled. 


eoo Activity 
Stop All Clear Completed 


(Pre-Imaging) Hashed /dev/rdisk2s1 


MDS: SACAFC627F17951DFD985F9F83C3EB7S 
SHA1: 428329470B6F 445FBAB23AD77COF3D8BBC7ASD34 
‘SHA256: 76F07FC609096609008AE43C963 1B6CC520A9A 1F52E35BEOFCEBBD9366D0A799 


Hash complete. 


imaged /dev/rdisk2s1 to disk2s1 Image 


MDS: SACAFC627F1795 1DFD98SF9F83C3EB75 
SHA1: 42832947086F445FBAB23AD77COF3D8BBC7ASD34 
SHA256: 76FO7FC609096609008AE43C963 1B6CC520A9A 1F52E35BEOFCEBBD9366D0A799 


Image complete. 
(Post-Imaging) Hashed /Evidence/disk2s1 2013-08-19 14-01-45 /disk2s1 Image.00001 


MDS: BACAFC627F1795 1DFD985F9F83C3EB75 
SHA1: 428329470B6F445FBAB23AD77COF3D8BBC7ASD34 
SHA256: 76FO7FC609096609008AE43C963 1B6CC520A9A 1F52E3SBEOFCESBD9366D0A799 


Hash complete. 
Validated image for /dev/rdisk2s1 


Source device (MDS): SACAFC627F1795 1DFD98SF9F83C3E875 
imaging (MDS): 8ACAFC627F1795 1DFD98SF9F83C3EB75 

Destination image (MD5): 8ACAFC627F1795 LDFD98SF9F83C3E875 

Source device (SHA1): 428329470B6F445FBA823AD77COF3D8BBC7ASD34 

Imaging (SHA1): 428329470B6F445FBAB23AD77COF3D8BBC7ASD34 

Destination image (SHA1): 42832947086F445FBAB23AD77COF3D8BEC7ASD34 

Source device (SHA256): 76F07FC609096609008AE43C963 186CC520A9A1F52E35BEOFCESBD9366D0A799 
Imaging (SHA256): 76F07FC609096609008AE43C963186CC520A9A1F52E3 5BEOFCESBD9366D0A799 
Destination image (SHA256): 76F07FC609096609008AE43C963 1B6CCS20A9A1F52E35BEOFCESBD9366D0A799 


Validation complete. 
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Verify Image Creation 


Navigate to the destination image folder. On Mac computers, use Finder. On Windows 
computers, use File Explorer. 


The destination image folder contains a subfolder named with the source device name and the 
acquisition completion date and timestamp. This folder contains four types of log files and the 
acquired image file. 


In this example, the source device is disk?, so the MacBook_Image destination folder contains a 
subfolder named disk? 2020-02-10 23-49-30. 


(> MacBook_Image 


Name 


v J disk1 2020-02-10 23-49-30 
Acquisition Log.txt 
Æ Device.log 
e disk1 Image.aff4 
lORegInfo.txt 
SystemSummary.txt 


Æ My Passport > {ij MacBook_Image 
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Acquisition Log.txt File 


Creating an Image 


The Acquisition Log.txt file provides detailed acquisition information and hash values for each 
hash option selected (MD5, SHA1, SHA256}. 


ece Acquisition Log.txt 


Digital Collector Version: 3.1 


Case Identification: 

Case Name: Fusion Mac Mini 

Case Number/ID: 0001 

Location: San Jose 

Exhibit ID/Evidence #: A 

Description: 2012 Mac Mini with APFS Fusion 


John Doe 
Agency/Company: ACME 
Section/Department: IR 


Comments: 


Source Device: /dev/rdisk2 


Disk Identifer: disk2 

Model: APPLE SSD SM128E 

Serial Number: SØX6NZAC702196 
Capacity: 1.0 TB (1121118199808 Bytes) 
Bus Protocol: Virtual 


Device Identifier: disk2s1 

Name: Macintosh HD - Data 

File System: APFS 

Capacity: 1.0 TB (1121118199808 Bytes) 


Volume UUID: 51F27CFD-823C-4120-A467-BA2F70B72438 


Device Identifier: disk2s2 

Name: Preboot 

File System: APFS 

Capacity: 1.0 TB (1121118199808 Bytes) 


Volume UUID: 9E6B9577-F1BA-4A19-S9EFE-C21C74AEDE87 


Device Identifier: disk2s3 

Name: Recovery 

File System: APFS 

Capacity: 1.0 TB (1121118199808 Bytes) 


Volume UUID: 8£B8476B-AFSA-484A-B40A-SABBF16CFB7E 


Device Identifier: disk2s4 

Name: VM 

File System: APFS 

Capacity: 1.0 TB (1121118199808 Bytes) 


Volume UUID: DEAB9294-5ED4-48D2-B714-5C2447EA05F4 


Device Identifier: disk2s5 

Name: Macintosh HD 

File System: APFS 

Capacity: 1.@ TB (1121118199808 Bytes) 


Volume UUID: 0E8BDD66-157A-4EB2-AA05-70EA9B8B45A6 


Destination Path: /Volumes/DCData/disk2 2021-01-12 22-08-08/disk2 Image 


Acquisition Start Time: 2021-01-12 22:08:09 (GMT) 
Acquisition End Time: 2021-01-12 22:56:45 (GMT) 
Total Imaging Time: 48 minutes 36 seconds 
Format: AFF4 

Segmentation: No Segments 

Compression: 124 Compression 

Include Unallocated: No 


Image Hashes: 
md5: 4A277C79637162803209C727569FB1E8 
shal: E1A6F2D516FF701A41727B6E6QBC26CE773778A3 


If you enable the imaging hash verification preference, the Acquisition Log. txt file contains has 
values for pre-, during-, and post-acquisition. For more information, see Menu Bar. 
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Device.log File 


The Device.log file contains the dc3dd acquisition command that was issued as well as detailed 
information about the source device, including any errors that may have occurred during the 
acquisition process for images created with dc3dd. 


eee m Device.log 
5 alek a 


Reveal Now Clear Reload Share 


dc3dd 7.2.646 started at 2021-01-13 00:12:20 +0000 
compiled options: 
command line: /Applications/DigitalCollector.app/Contents/Helpers/dc3dd/dc3dd if=/dev/ 


rdisk@si hash=md5 hash=sha1 log=/Volumes/DCData/EFI 2021-01-13 00-12-19/Device.log 
device size: 76800 sectors (probed), 314,572,808 bytes 
sector size: 4096 bytes (probed) 

314572800 bytes ( 300 M ) copied ( 100% ), 2.18243 s, 137 M/s 


input results for device */dev/rdisk@s1': 
76800 sectors in 
@ bad sectors replaced by zeros 
DD998B9B7E661EB8F71EBDDD@9FOC89F (md5) 
SFA7FF6246359326E1BE1EBAC95258A63D54E877 (shal) 


output results for file ‘stdout’: 
76888 sectors out 


dc3dd completed at 2021-01-13 00:12:22 +8000 


If you select the E01 file format for the destination image file, Digital Collector also creates a 
Device.2.log file. This file contains the hash values that were selected in the Image view. 


SystemSummary.txt File 


The SystemSummary.txt file contains the system hardware overview from the system_profiler 
SPHardwareDataType command. 


ese SystemSummary.txt 
Hardware: 


Hardware Overview: 


Model Name: MacBook Pro 

Model Identifier: MacBookPro10,1 
Processor Name: Quad-Core Intel Core i7 
Processor Speed: 2.6 GHz 

Number of Processors: 1 

Total Number of Cores: 4 

L2 Cache (per Core): 256 KB 

L3 Cache: 6 MB 

Hyper-Threading Technology: Enabled 
Memory: 16 GB 

Boot ROM Version: 259.0.0.0.0 


SMC Version (system): 2.3f36 
Serial Number (system): C02J24RHDKQ5 
Hardware UUID: 1£46B39B-F369-5972-8682-DASDEFC8BBF9 
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lORegInfo.txt File 


Creating an Image 


The /OReg/nfo.txt file contains output from the I/O Registry using the ioreg -wð -1 command. 
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eee lOReginfo.txt 
+-o Root <class I0RegistryEntry, id @x1e0000100, retain 18> 


“IOKitBuildVersion" = “Darwin Kernel Version 19.2.0: Sat Nov 9 03:47:04 PST 2019; 
root: xnu-6153.61.1~20/RELEASE_X86_64" 
“TOBluetoothActive" = Yes 
| "OS Build Version 19¢57 
| “IONDRVFramebufferGeneratioi 
| "OSKernelcPUSubtype" = 3 
| “OSKernelCPUType" = 16777223 
| "OSPrelinkKextCount 
"TORegistryPlane: 
{"ToPower' T0Service" "1080211P lane", ""I0USB"="IOUSB" , "Core 
Capture"="CoreCapture' “IOACPIPlane" ,"IODeviceTree"="I0DeviceTree"} 
T0ConsoleLocke: 
"IOConsoleUsers 
"IOKitDiagnostics" = {"Instance allocation"=5599664, "Container 
allocat ion"=5428842,"Pageable 
allocation" s "IONDRVFramebuf fer"=1, "AppleSNBFBUserClient"=0, "IOHIDEventServi 
ceFastPathUserClient"=0,"I0KitDiagnosticsClient"=0,"I0NaturalMemoryCursor"=0,"I0AudioClientBuffe 
rSet"=0, "AppleUSBDiagnost ics"=0, "AppleUSBXHCIIsochronousRequestPool"=1, "IOUSBHostHIDDevice"=3, "A 
ppteHDAMikeyInternalCS4208"=0, "App leUSBRequest"=1,"DspFuncBuzzKill"=0, "AppleASMed ia1042USBXHCICo 
ShpptenDATON Codec"=0, ToUssHassStorageDriverRequestTiner s"IOHDACodecDevice"=2, 


1, "App LeHDAWorkLoop" ORTC"=1, "TOHTDevice"=0, "10 

0, "KDIF i leBackingStore”=0,"IOThunderboltAbstractMic 

ro"'=1, "App leHDAHardwareConf igDriver"=0,"1080211DriverCommandDescriptor"=0,"DspFuncUserClient"=0, 
"App leHDAHardwareConfigDriverLoader"=0,"I0MemoryCursor"=1,"AppleSmartBat teryManager"=1, "AppleHDA 
TOM_CS42L81"=0, "I0ThunderboltxDPropert iesDirectory"=2,"I0Breaker"=0, "AppleIntelFramebuffer"=1,"A 
ppleHDAFunct ionGroup_80862807"=0, "AppleUSBMult itouchUserClient"=1,"IOUSBLowLatencyCommandLegacy" 
=0, "App leThunderboltNHIReceiveRingManager’ ppleThunderboltIPReceiveCommand"=0,"AppleVirtIO9P 
WriteTransaction"=0,"EFIData"=58, "App leUSB20HubPort"=6, "App LeUSB20KeyboardHub"=0, "App leUSBXHCIPo 
rt"=2, "AppleSMCControl"=0, "I0Acce LCommandQueu ‘OspFunc4ChOutput"=1, "App leUSBMultitouchHIDEve 
ntDriver"=1,"L0SurfaceSharedEventNotif ication" ‘0B luetoothHostControllerUserClient"=0,"AppleH 
DAFunct ionGroupWM8800"=0, "IOThunderboltSwitchType1"=0, "AppleKeyStoreUserClient"=1, "IOSMBusReques 
t"=0,"IntelFBCLientControl"=1, "I0SkywalkPacket"=0, "DspFuncBeamFormer"=0,"I0PMServiceInterestNoti 
fier"=61,"AppleACPILid"=1, "AppleInteLCPUPowerManagement"=1, "IOHIDResourceQueue"=0,"I0Storage"=4, 
"TOT imeSyncEthernetNICClock"=0, "App leUSBRequestPool"=4, "I0AcceSegmentResourceList"=0,"10SerialS 
treamSync' OHIDConsumer"'=0, "1080211AWDLMulticastPeer"=0, "AppleSDXCBlockStorageDevice"=1,"I0A 
HCIBlockStorageDevice"=1, "I0ThunderboltxDPropertiesEntry"=11, "App LeUSBHostCompositeDevice"=4,"10 
HIDCLientData"=5, "10B uetoothMenoryDescriptorRetainer"=0,"I0SharedinterruptControlter"=3,"10Grap 
hicsWorkLoop"=2, "hv_vmx_vm_t"=0, "App LeHDATOMBusManagerCS4208"=0 , "IOTimeSyncC LockManagerUserClien 
t"=0,"0SSerializer"=52, "I0PCIMessagedInterruptController"=1, "App leAHCIWatchdogTimer"=1, "IOThunde 
rboltConfigMultiReadCommand"=1, "OSCollection"=5,"I0UserEthernetResourceUserClient"=0, "I0Thunderb 
8, "App LeSDXCS Lot"=1, "1080211Rea LT imePeerManager"=0, "IOUSBDeviceUserClientV2"=0, "SmbusHa 

1, "App leHDAEngineOutput"=1,"_I0ServiceNullNotifier"=1,"I0TimeSyncUnicastUDPv4PtPPort"=0," 
‘OSkywa lkMemorySegment"=0, "I0BluetoothHCIUserC lient"=1, "I0Blu 

etoothPacketLoggerUserClient"=0, "App LeThunderbo LtEDMSinkUserClient"=0, "App leUSB20InternalIntelHu 
com_apple_driver_pm_cpu_reporter"=1, "I0NetworkStackUserClient”: ‘OTimeSyncPortMana 
ppleDisplay"=0, "I0BluetoothHostController"=1, "I0Inter leavedMemoryDescriptor"=9,""_I0Serv 

217, "App leAPFSUserC Lient"=0, “App leHDAFunct ionGroupGT216"=0, "App leUSBLegacyInter face 

“App leHDAFunct ionGroupCS4208"=0, "IOSkywalkEthernetIn 

pp LeSDXC""=1, "IOSKArena"= ncVolume_4ch"=0, "App 

LeUSBXHCILPTCommandRing"=1, "IOUSBHostDevice"=9, "I0SubMemoryDescripto! OTimeSyncEthernetInt 
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Cellebrite Digital Collector includes advanced acquisition tools developed for experienced 
forensic examiners. Some of these tools are only useful when the examiner starts [boots] the 
source computer from the Digital Collector solid state drive (SSD), as they are unusable or 
inappropriate during a live acquisition. 


To access these advanced tools, in the Digital Collector toolbar, click Tools. 


Warning: Use caution when using the Digital Collector advanced tools. Improper use of these 
tools may result in evidentiary data loss or contamination. 


This chapter provides these topics. 


e Mount Device Tool 

e Format Device Tool 

e Hash Device Tool 

e Hash Image File Tool 

e Terminal Tool for macOS 
e Terminal Tool for Windows 


Mount Device Tool 


When you start (boot) a source computer from the Cellebrite Digital Collector solid state drive 
(SSD], all source computer internal drives and mounted and attached devices are write protected 
by default. This means that the operating system on the Digital Collector SSD cannot write to a 
drive or device unless you change its mount status to read/write. When that is necessary, you 
can use the Mount Device tool. 
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Tools 


When a Mac computer has FileVault 2 enabled, the Mount Device tool can unlock FileVault 2 so 
that you can create a logical data collection. The Mount Device tool cannot unlock APFS 
containers for creating physical images. 


1. In the toolbar, click Tools > Mount Device. 
The Partition list shows all drives and devices. This list also shows attributes such as volume 
name, capacity, partition or slice name, file system type, a writable media indicator, and the 
device mount status, including Read/Write or Read Only. 


Mount a read-only device with 
read/write permissions. 


Select the device, and then click Make Selected Device 
Read/Write. 


Unlock FileVault encryption on 
a Mac computer. 


a. Select the encrypted volume, and then click Unlock 
Selected Device (Read Only). 

b. You must provide credentials to unlock the volume. 
Choose one of these actions. 

c. If you have account credentials for this computer, type 
the password in the Password field. 

d. If you have the recovery key for this computer, type it in 
the Recovery Key field. 

e. lf you are an Enterprise user, click Select Keychain File 
and then browse to select the FileVault.keychain file. 


f. Click Unlock. 


2. Read the warning message, and then click Continue to complete the mount status change. 
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Format Device Tool 


You can format an entire disk, drive, or device, or a single disk, volume, or partition using the 
Format Device tool in Cellebrite Digital Collector. 


Internal hard drives and attached devices appear in a hierarchical list. Drive and device partitions 
appear below their associated drive or device. Device icons appear according to the type of 
device, such as internal, external, FireWire, or external USB. Partition icons appear according to 
the format of the partition's file system [if a file system exists). 


mount Device GIIDID sch device Hashimage ale Terminal 


OFECPeE 


1. In the toolbar, click Tools > Format Device. 

2. Click on the name of the correct internal disk, drive, external storage device, or single 
volume or partition. 

3. In the Volume Name field, type the appropriate name for the volume. 


4. Click Format and choose the appropriate file system format. You may choose from these file 
systems: 


e hfsx (Case Sensitive] 

e HFS+ (hierarchical file system plus, also known as Mac OS Extended format] 

e MS-DOS [FAT 32} 

e NTFS (may not be available on Mac computers running with restricted permissions] 

e exFAT (required for the DCData volume when the source computer runs Windows and is 
booted from Digital Collector] 


5. Click Format Volume. 

6. Read the warning message. 
Verify that you selected the correct disk, drive, device, or volume in Step 1 to be sure you do 
not accidentally format an entire disk if the intention is to erase a single volume. 

7. Click Continue. 
The volume is named and reformatted. 
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Hash Device Tool 


You may generate hash values for an internal drive, an external device, or a single volume using 
the Hash Device tool in Cellebrite Digital Collector. You can choose one or all of these options to 
generate the hash value. 


e Message Digest 5 [MD5) 
e Secure Hash Algorithm 1 (SHA-1] 
e Secure Hash Algorithm 2, 256-bit length (SHA-256] 


Hard drives and attached devices appear on the Hash Device tab in a hierarchical list. Volumes 
appear below their associated drive or device. You can expand or collapse the view of volumes. 
Device icons appear according to the type of device, such as internal, external, FireWire, or 
external USB. Volume icons appear according to the format of the volume’s file system lif a file 
system exists). 


(4 


Hash an Entire Drive or a Single Volume 


1. In the toolbar, click Tools > Hash Device. 
Click the name of an internal drive, or external storage device, or a single volume. 

2. Mark the checkbox for any or all of the hash options, and then click Hash Entire Disk or Hash 
Volume. 
The Activity window shows hash progress expressed as hashed data complete, percentage 
complete, hashing speed [MBs/min], and estimated time remaining. 
To stop a hash process, click Stop All. Read the warning message, and then click either 
Continue Activity or Stop Activity. 


When the hash process is complete, selected hash values appear in the Activity window and in 
the Hash Device tool window under the appropriate column according to hash type. 
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Hash Image File Tool 


You may generate hash values for one or more forensic image files using the Hash Image File 
tool in Cellebrite Digital Collector. These are the supported image file formats. 


e Raw image files (.001) e EnCase image files (.E01) 
e Apple disk image files (.dmg) e Advanced Forensic File Format [.aff4] 


1. In the toolbar, click Tools > Hash Image File. 
The Hash Image File tab appears. 


Image File M05 da 
P akt Image.dma if flet D22192589025477907E930CC2S4ADAD -FZEBSDAGEBEIOFIFIF4BEEDCETETEDSCESATSTZE 


2. Click Select Image File(s). 

Browse to the image file or files, select it or them, and then click Open. 

4. The Activity window shows hash progress expressed as hashed data complete, percentage 
complete, hashing speed [MBs/min), and estimated time remaining. If you select multiple 
image files and hashes at the same time, the Activity window shows a progress bar for each 
hash process still in progress. 
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Activity 


Stop All Clear Completed 


Hashing /Volumes/My Passport/images/disk6 Image.dmg 
— (x) 
Hashed 2.0 GB (14%) 


To stop the hash process, click Stop All. Read the warning message, and then click either 
Continue Activity or Stop Activity. 

5. When the hash process is complete, selected hash values appear in the Activity window and 
in the Hash Image File tab in the appropriate column according to hash type. 


Mount Device — FormatDevice Hash Device QUST termina! 


Image File MDS a 
P AKE Image.dma 11 fet D22192589022472907EZ930CC254T4D -FIESSDASESEIOF2FI*4BEEDCETETEDECSSATSTIE 
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Terminal Tool for macOS 


Cellebrite Digital Collector has the iTerm macOS Terminal [command line) emulation application 
built in. You may run supported Terminal commands directly from within Digital Collector by 
using this Terminal tool. 


1. Inthe toolbar, click Tools > Terminal. 


Mount Device Format Device Hash Device Hash Image File 


À This Terminal session runs as the ROOT user, therefore suspect devices can possibly be written to. Recommended for advanced users only, please exercise caution, 


Launch Terminal 


2. Click Launch Terminal. 
A terminal window opens, and a bash shell prompt appears. 


For more information, see http://www.iterm2.com. 


Terminal Tool for Windows 


You may run supported terminal commands directly from within Cellebrite Digital Collector by 
using this Terminal tool. 


1. Inthe toolbar, click Tools > Terminal. 


Mount Device Format Device Hash Device Hash Image File 


1 This Terminal session runs as the ROOT user, therefore suspect devices can possibly be written to. Recommended for advanced users only, please exercise caution. 


Launch Terminal 


2. Click Launch Terminal. 
A Windows PowerShell window appears with a command prompt. 
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Frequently Asked Questions 


These are some questions frequently asked about Cellebrite Digital Collector. 


Why is the DCData partition on the Digital Collector SSD 
formatted exFAT? 


The DCData partition on the Digital Collector SSD must have a format that is compatible with 
both Windows and macOS versions 11 and 12. Apple made changes in Big Sur and Monterey that 
prevent Digital Collector from writing to NTFS. We had previously discouraged writing macOS 
data to exFAT; however, our recent testing with macOS 11 and 12 has confirmed that exFAT 
drivers have improved and are stable for all Digital Collector image formats. Therefore, exFAT is 
the best format to ensure that data can be written to the DCData partition from computers 
running Windows or macOS versions 11 and 12, whether they are running live or booted from 
Digital Collector. 


When you acquire data from live or booted macOS computers, Digital Collector 3.3 and newer 
can write to the DCData partition when it is formatted as exFAT, APFS, or HFS Plus. Support for 
writing macOS data to NTFS is only available in the boot environments for Digital Collector 
versions 3.2 and 3.1 as well as the DC Legacy 2019 boot environment. 


When you acquire data from a live Windows computer, Digital Collector 3.3 and newer can write 
to the DCData partition if it is formatted as exFAT or NTFS. However, when a Windows computer 
is booted from Digital Collector 3.3, data can only be written to the DCData partition when it is 
formatted as exFAT. If you must write to a destination formatted NTFS, you can use your own 
storage device. 


Why is imaging stalling on a Mac laptop? 


If the imaging process seems to have stalled on a newer MacBook Pro, MacBook Air, or 
MacBook with a USB-C port, you should examine the computer time in the Case Details view in 
Digital Collector. When the battery of a newer Mac laptop is depleted, the computer time 
defaults to April 1, 1976. An incorrect computer time can cause Digital Collector to stall while 
imaging. You can adjust it to the current date and time for the imaging process to complete. 


In the Digital Collector toolbar, click Case Details. 

If the Current machine time is not correct, an orange triangle appears. 

Click Change. 

In the Set System Clock window, adjust the date and time to the current date and time, and 
then click Set Time. 


AS 


Setting the system time does not affect the data obtained from the source Mac computer, which 
is attached or mounted as read-only. It does affect the date and time seen in the Digital Collector 
log files, for example the date and time the image is created. 


If the computer time is accurate in the Case Details view but imaging is stalled, try a different 
cable or a different destination drive. 


If imaging is still stalled, contact Technical Support. For more information, see Getting Support. 
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How do | resolve the License Required message for Digital 
Collector running live on macOS 10.15 or later? 


Changes made by Apple affect how Digital Collector detects Its license file on the solid-state 
device (SSD) when it is connected to a live computer running macOS 10.15 Catalina or later. To 
run Digital Collector in this situation, you must first grant full disk access to Digital Collector. 
This requires administrator credentials. If you cannot provide administrator credentials, you can 
run Digital Collector with restricted permissions. 


Grant full disk access 


1. In the Apple menu, click System Preferences > Security & Privacy > Privacy. 

2. Inthe lower left corner of the Privacy tab, click the padlock and then provide administrator 
credentials. 

3. Inthe left pane, click Full Disk Access. 

4. Either drag the Digital Collector app into the right pane or click + (Add) under the right pane 
and add the Digital Collector app from the Digital Collector volume of the SSD. 


Run with restricted permissions 


1. Launch Digital Collector. 
2. On the dialog box to enter user credentials, click Cancel. 
3. On the subsequent dialog box, click Run Restricted, and then click OK. 
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Appendix: Changes to Live Computers 


In many cases, Investigators have no choice but to deal with a live computer, as it may be the 
only viable option. However, any time we deal with a live computer, changes are unavoidably 
made to Its file system. 


Therefore, investigators must know what they are doing and document all their actions so that 
they can be explained later if necessary. It is impossible to determine every single change that 
will be made on a live computer; there are too many variables that cannot be accounted for. That 
said, this is a high-level list of known changes that will be made simply by connecting a 
Cellebrite Digital Collector device and launching the application on a live computer. 


Legend 


ES New % Attributes modified 
X Deleted Z Moved from 
«= Content modified N Moved to 


Computers with a Mac Operating System 


These are the biggest changes. 


e Time stamps for Accessed are updated for every previewed file. 
e Running in Restricted mode will likely drop the /private/var/root/ files into the /Users/< USER>/ 
directory structure. 


Changes Made by Connecting a Digital Collector Device 


Change Location 


% /private/var/db/diagnostics/Signpost/.tracev3 
% /private/var/db/diagnostics/Persist/.tracev3 
= /private/var/log/fsck_hfs.log 

% /private/var/db/uuidtext/ 

= /private/var/log/fsck_hfs.log 


/Volumes/DC M Boot 
/Volumes/MacOS App 
/Volumes/DCData 


>B HBH HB 


/private/var/db/reportmemoryexception 
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Changes Made by Running Digital Collector Live 


Change Location 


new /Users/<USER>/Library/Saved Application 
State/com.cellebrite.DigitalCollector.savedState/restorecount.plist 


/private/var/db/diagnostics/Persist/.tracev3 


/private/var/folders/<items> 


/private/var/folders/<items> 


/Users/<USER>/Library/Application Support/com.apple.sharedfilelist/ 


% 
= 
x /private/var/folders/<items> 
x 
N 
K 


/Users/<USER>/Library/Application 
Support/com.apple.sharedfilelist/com.apple.LSSharedFileList.RecentApplications 


A /Library/Catacomb/<GUID>/.dat.nosync<random value> 


N /Library/Catacomb/<GUID>/biolockout.cat 


=. /private/var/folders/<temp 
folders>/com.cellebrite.DigitalCollector/com.apple.metal/3902/libraries.data 


= /private/var/folders/<temp folders>/com.cellebrite.DigitalCollector/ 
com.apple.metal/Intel({R}] UHD Graphics 630/functions.data 


new /private/var/root/Library/Saved Application 
State/com.cellebrite.DigitalCollector.savedState/restorecount.plist 

% /private/var/db/uuidtext/<temp files> 

% /private/var/db/diagnostics/Persist/<integer value>.tracev3 

x /private/tmp/BBT-BDE12C4F8914 

new /private/var/root/Library/Application Support/Cellebrite/DCTemp 

x /private/var/root/Library/Saved Application 
State/com.cellebrite.DigitalCollector.savedState/restorecount.plist 

new /private/var/root/Library/Application Support/Cellebrite/DCTemp/filetaskserr 

% /private/var/root/Library/Application Support/Cellebrite/DCTemp/filetaskserr 

= /private/var/root/Library/Application Support/Cellebrite/DCTemp/filetaskserr 

A /Users/<USER>/Library/Application 
Support/com.apple.spotlight/.dat.nosync<random value> 

N /Users/<USER>/Library/Application Support/com.apple.spotlight/appList.dat 

x /private/var/root/Library/Saved Application 
State/com.cellebrite.DigitalCollector.savedState/data.data 
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Change Location 


/private/var/root/Library/Saved Application 
State/com.cellebrite.DigitalCollector.savedState/windows. plist 


x /private/var/root/Library/Saved Application 
State/com.cellebrite.DigitalCollector.savedState/window_1.data 


Changes Made by Previewing Files 


Change Location 


= /private/var/folders/<temp 
folders>/com.apple.QuickLook.thumbnailcache/thumbnails.data 


= /private/var/folders/<temp 
folders>/com.apple.QuickLook.thumbnailcache/index.sqlite-shm 


= /private/var/folders/<temp 
folders>/com.apple.QuickLook.thumbnailcache/index.sqlite-wal 


=. /private/var/folders/<temp 
folders>/com.apple.QuickLook.thumbnailcache/index.sglite 


/private/var/folders/<temp folders>/com.apple.QuickLook.thumbnailcache/dirty 


Xx 
new /private/var/root/Library/Application Support/Cellebrite/DCTemp/QLPreview 
B 


/private/var/root/Library/Application Support/Cellebrite/DCTemp/QLPreview/2019 
Q4 BvA.xlsx.qlpreview 


7 /private/var/folders/<temp folders>/Temporaryltems/(A Document Being Saved By 
Quick Look Helper)/Preview.html 


N /private/var/root/Library/Application Support/Cellebrite/DCTemp/QLPreview/2019 
Q4 BvA.xlsx.qlpreview/Preview.html 


me /private/var/folders/<temp folders>/com.apple.quicklook.QuickLookUIService/ 
com.apple.quicklook.QuickLookUIService/com.apple.metal/<graphics card> 


new /private/var/folders/<temp folders>/com.apple.quicklook.QuickLookUIService/ 
com.apple.quicklook.QuickLookUIService/com.apple.metal/<graphics 
card>/functions.data 


% /private/var/folders/<temp folders>/com.apple.quicklook.QuickLookUIService/ 
com.apple.quicklook.QuickLookUIService/com.apple.metal/<graphics card 
value>/libraries.maps 


new /private/var/folders/<temp folders>/com.apple.quicklook.QuickLookUIService/ 
com.apple.quicklook.QuickLookUIService/com.apple.metal/<graphics 
card>/functions.maps 
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